RT#29354: Password Security in Email [customer fields, images, js files]

[freeside.git] / fs_selfservice / FS-SelfService / cgi / selfservice.cgi

diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index 4ccf1de..aff9bca 100755 (executable)
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 
 use strict;
-use vars qw($DEBUG $cgi $session_id $form_max $template_dir);
+use vars qw($DEBUG $cgi $session_id $pw_session_id $form_max $template_dir);
 use subs qw(do_template);
 use CGI;
 use CGI::Carp qw(fatalsToBrowser);
@@ -15,7 +15,7 @@ use FS::SelfService qw(
   access_info login_info login customer_info edit_info invoice
   payment_info process_payment realtime_collect process_prepay
   list_pkgs order_pkg signup_info order_recharge
-  part_svc_info provision_acct provision_external provision_phone
+  part_svc_info provision_acct provision_external provision_phone provision_forward
   unprovision_svc change_pkg suspend_pkg domainselector
   list_svcs list_svc_usage list_cdr_usage list_support_usage
   myaccount_passwd list_invoices create_ticket get_ticket did_report
@@ -23,6 +23,8 @@ use FS::SelfService qw(
   mason_comp port_graph
   start_thirdparty finish_thirdparty
   reset_passwd check_reset_passwd process_reset_passwd
+  validate_passwd
+  billing_history
 );
 
 $template_dir = '.';
@@ -70,6 +72,7 @@ my @actions = ( qw(
   process_svc_acct
   process_svc_phone
   process_svc_external
+  process_svc_forward
   delete_svc
   view_usage
   view_usage_details
@@ -81,6 +84,9 @@ my @actions = ( qw(
   process_change_password
   customer_suspend_pkg
   process_suspend_pkg
+  switch_cust
+  history
+  validate_password
 ));
 
 my @nologin_actions = (qw(
@@ -89,6 +95,7 @@ my @nologin_actions = (qw(
   process_forgot_password
   do_process_forgot_password
   process_forgot_password_session
+  validate_password_nologin
 ));
 push @actions, @nologin_actions;
 my %nologin_actions = map { $_=>1 } @nologin_actions;
@@ -97,7 +104,7 @@ my $action = 'myaccount'; # sensible default
 
 if ( $cgi->param('action') =~ /^process_forgot_password_session_(\w+)$/ ) {
   $action = 'process_forgot_password_session';
-  $session_id = $1;
+  $pw_session_id = $1;
 } elsif ( $cgi->param('action') =~ /^(\w+)$/ ) {
   if (grep {$_ eq $1} @actions) {
     $action = $1;
@@ -105,7 +112,6 @@ if ( $cgi->param('action') =~ /^process_forgot_password_session_(\w+)$/ ) {
     warn "WARNING: unrecognized action '$1'\n";
   }
 }
-
 unless ( $nologin_actions{$action} ) {
 
   my %cookies = CGI::Cookie->fetch;
@@ -204,6 +210,12 @@ unless ( $nologin_actions{$action} ) {
 
   # at this point $session_id is a real session
 
+  if ( ! $login_rv->{'custnum'} && ! $login_rv->{'svcnum'} && $login_rv->{'customers'} ) {
+    #select a customer if we're a multi-contact customer
+    do_template('select_cust', { %$login_rv } );
+    exit;
+  }
+
 }
 
 warn "calling $action sub\n"
@@ -212,6 +224,7 @@ $FS::SelfService::DEBUG = $DEBUG;
 my $result = eval "&$action();";
 die $@ if $@;
 
+use Data::Dumper;
 warn Dumper($result) if $DEBUG;
 
 if ( $result->{error} && ( $result->{error} eq "Can't resume session"
@@ -237,7 +250,13 @@ do_template($action, {
 
 #--
 
-use Data::Dumper;
+sub switch_cust {
+  $action = 'myaccount';
+  FS::SelfService::switch_cust( 'session_id' => $session_id,
+                                'custnum'    => scalar($cgi->param('custnum')),
+                              );
+}
+
 sub myaccount { 
   customer_info( 'session_id' => $session_id ); 
 }
@@ -338,6 +357,10 @@ sub invoices {
   list_invoices( 'session_id' => $session_id, );
 }
 
+sub history {
+  billing_history( 'session_id' => $session_id, );
+}
+
 sub tktcreate {
   my $customer_info = customer_info( 'session_id' => $session_id );
   return $customer_info if ( $customer_info->{'error'} );
@@ -562,10 +585,15 @@ sub make_payment {
 
   my $payment_info = payment_info( 'session_id' => $session_id );
 
+  my $amount = 
+    ($payment_info->{'balance'} && ($payment_info->{'balance'} > 0))
+    ? $payment_info->{'balance'}
+    : '';
+
   my $tr_amount_fee = mason_comp(
     'session_id' => $session_id,
     'comp'       => '/elements/tr-amount_fee.html',
-    'args'       => [ 'amount' => $payment_info->{'balance'},
+    'args'       => [ 'amount' => $amount,
                     ],
   );
 
@@ -847,7 +875,7 @@ sub provision_svc {
 
   my $result = part_svc_info(
     'session_id' => $session_id,
-    map { $_ => $cgi->param($_) } qw( pkgnum svcpart svcnum ),
+    map { $_ => ($cgi->param($_) || '') } qw( pkgnum svcpart svcnum ),
   );
   die $result->{'error'} if exists $result->{'error'} && $result->{'error'};
 
@@ -933,6 +961,33 @@ sub process_svc_external {
   );
 }
 
+sub process_svc_forward {
+
+  my $result = provision_forward (
+    'session_id' => $session_id,
+    map { $_ => $cgi->param($_) || '' } qw(
+      pkgnum svcpart srcsvc src dstsvc dst )
+  );
+
+  if ( exists $result->{'error'} && $result->{'error'} ) { 
+    #warn "$result $result->{'error'}"; 
+    $action = 'provision_svc_forward';
+    return {
+      $cgi->Vars,
+      %{ part_svc_info( 'session_id' => $session_id,
+                        map { $_ => $cgi->param($_) } qw( svcnum pkgnum svcpart )
+                      )
+      },
+      'error' => $result->{'error'},
+    };
+  } else {
+    #just go to setup services page, results will be visible there
+    $action = 'provision';
+    return provision();
+  }
+
+}
+
 sub delete_svc {
   unprovision_svc(
     'session_id' => $session_id,
@@ -943,7 +998,7 @@ sub delete_svc {
 sub view_usage {
   my $res = list_svcs(
     'session_id'  => $session_id,
-    'svcdb'       => [ 'svc_acct', 'svc_phone', 'svc_port', ],
+    'svcdb'       => [ 'svc_acct', 'svc_phone', 'svc_port', 'svc_pbx' ],
     'ncancelled'  => 1,
   );
   if ($res->{hide_usage}) {
@@ -1057,8 +1112,9 @@ sub process_forgot_password {
 }
 
 sub process_forgot_password_session {
+  $action = 'process_forgot_password';
   check_reset_passwd(
-    'session_id' => $session_id,
+    'session_id' => $pw_session_id,
   );
 }
 
@@ -1069,6 +1125,22 @@ sub do_process_forgot_password {
   );
 }
 
+sub validate_password {
+  validate_passwd(
+    'session_id' => $session_id,
+    map { $_ => scalar($cgi->param($_)) }
+      qw( fieldid svcnum check_password )
+  )
+}
+
+sub validate_password_nologin {
+  $action = 'validate_password'; #use same landing page
+  validate_passwd(
+    map { $_ => scalar($cgi->param($_)) }
+      qw( fieldid check_password )
+  )
+}
+
 #--
 
 sub do_template {
@@ -1142,7 +1214,7 @@ package FS::SelfService::_selfservicecgi;
 
 use HTML::Entities;
 use FS::SelfService qw(
-    regionselector popselector domainselector location_form didselector
+    regionselector popselector domainselector location_form didselector mason_comp
 );
 
 #false laziness w/agent.cgi