Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
final class PhortuneMerchantViewController
|
|
|
|
extends PhortuneMerchantController {
|
|
|
|
|
|
|
|
private $id;
|
|
|
|
|
|
|
|
public function willProcessRequest(array $data) {
|
|
|
|
$this->id = $data['id'];
|
|
|
|
}
|
|
|
|
|
|
|
|
public function processRequest() {
|
|
|
|
$request = $this->getRequest();
|
|
|
|
$viewer = $request->getUser();
|
|
|
|
|
|
|
|
$merchant = id(new PhortuneMerchantQuery())
|
|
|
|
->setViewer($viewer)
|
|
|
|
->withIDs(array($this->id))
|
|
|
|
->executeOne();
|
|
|
|
if (!$merchant) {
|
|
|
|
return new Aphront404Response();
|
|
|
|
}
|
|
|
|
|
|
|
|
$crumbs = $this->buildApplicationCrumbs();
|
2014-10-07 23:41:41 +02:00
|
|
|
$crumbs->addTextCrumb($merchant->getName());
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
|
|
|
|
$title = pht(
|
|
|
|
'Merchant %d %s',
|
|
|
|
$merchant->getID(),
|
|
|
|
$merchant->getName());
|
|
|
|
|
|
|
|
$header = id(new PHUIHeaderView())
|
|
|
|
->setObjectName(pht('Merchant %d', $merchant->getID()))
|
|
|
|
->setHeader($merchant->getName())
|
|
|
|
->setUser($viewer)
|
|
|
|
->setPolicyObject($merchant);
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
$providers = id(new PhortunePaymentProviderConfigQuery())
|
|
|
|
->setViewer($viewer)
|
|
|
|
->withMerchantPHIDs(array($merchant->getPHID()))
|
|
|
|
->execute();
|
|
|
|
|
|
|
|
$properties = $this->buildPropertyListView($merchant, $providers);
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
$actions = $this->buildActionListView($merchant);
|
|
|
|
$properties->setActionList($actions);
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
$provider_list = $this->buildProviderList(
|
|
|
|
$merchant,
|
|
|
|
$providers);
|
2014-10-07 23:41:41 +02:00
|
|
|
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
$box = id(new PHUIObjectBoxView())
|
|
|
|
->setHeader($header)
|
|
|
|
->appendChild($properties);
|
|
|
|
|
Transactions - deploy buildTransactionTimeline to remaining applications
Summary:
Ref T4712. Specifically...
- Differential
- needed getApplicationTransactionViewObject() implemented
- Audit
- needed getApplicationTransactionViewObject() implemented
- Repository
- one object needed PhabricatorApplicationTransactionInterface implemented
- setShouldTerminate(true)
- Ponder
- BONUS BUG FIX - leaving a comment on an answer had a bad redirect URI
- both PonderQuestion and PonderAnswer needed PhabricatorApplicationTransactionInterface implemented
- setShouldTerminate(true) on both "history" controllers
- left a "TODO" on buildAnswers on the question view controller, which is non-standard and should be re-written eventually
- Phortune
- BONUS BUG FIX - fix new user "createNewAccount" code to not fatal
- PhortuneAccount, PhortuneMerchant, and PhortuneCart needed PhabricatorApplicationTransactionInterface implemented
- setShouldTerminate(true) on Account view, merchant view, and cart view controller
- Fund
- Legalpad
- Nuance
- NuanceSource needed PhabricatorApplicationTransactionInterface implemented
- Releeph (this product is kind of a mess...)
- HACKQUEST - had to manually create an arcanist project to even be able to make a "product" and get started...!
- BONUS BUG FIX - make sure to "setName" on product edit
- ReleephProject (should be ReleepProduct...?), ReleephBranch, and ReleepRequest needed PhabricatorApplicationTransactionInterface implemented
- Harbormaster
- HarbormasterBuildable, HarbormasterBuild, HarbormasterBuildPlan, and HarbormasterBuildStep all needed PhabricatorApplicationTransactionInterface implemented
- setShouldTerminate(true) all over the place
Test Plan: foreach application, viewed the timeline(s) and made sure they still rendered
Reviewers: epriestley
Reviewed By: epriestley
Subscribers: Korvin, epriestley
Maniphest Tasks: T4712
Differential Revision: https://secure.phabricator.com/D10925
2014-12-04 00:35:47 +01:00
|
|
|
$timeline = $this->buildTransactionTimeline(
|
|
|
|
$merchant,
|
|
|
|
new PhortuneMerchantTransactionQuery());
|
|
|
|
$timeline->setShouldTerminate(true);
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
|
|
|
|
return $this->buildApplicationPage(
|
|
|
|
array(
|
|
|
|
$crumbs,
|
|
|
|
$box,
|
2014-10-08 17:31:24 +02:00
|
|
|
$provider_list,
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
$timeline,
|
|
|
|
),
|
|
|
|
array(
|
|
|
|
'title' => $title,
|
|
|
|
));
|
|
|
|
}
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
private function buildPropertyListView(
|
|
|
|
PhortuneMerchant $merchant,
|
|
|
|
array $providers) {
|
|
|
|
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
$viewer = $this->getRequest()->getUser();
|
|
|
|
|
|
|
|
$view = id(new PHUIPropertyListView())
|
|
|
|
->setUser($viewer)
|
|
|
|
->setObject($merchant);
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
$status_view = new PHUIStatusListView();
|
|
|
|
|
|
|
|
$have_any = false;
|
|
|
|
$any_test = false;
|
|
|
|
foreach ($providers as $provider_config) {
|
|
|
|
$provider = $provider_config->buildProvider();
|
|
|
|
if ($provider->isEnabled()) {
|
|
|
|
$have_any = true;
|
|
|
|
}
|
|
|
|
if (!$provider->isAcceptingLivePayments()) {
|
|
|
|
$any_test = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($have_any) {
|
|
|
|
$status_view->addItem(
|
|
|
|
id(new PHUIStatusItemView())
|
|
|
|
->setIcon(PHUIStatusItemView::ICON_ACCEPT, 'green')
|
|
|
|
->setTarget(pht('Accepts Payments'))
|
|
|
|
->setNote(pht('This merchant can accept payments.')));
|
|
|
|
|
|
|
|
if ($any_test) {
|
|
|
|
$status_view->addItem(
|
|
|
|
id(new PHUIStatusItemView())
|
|
|
|
->setIcon(PHUIStatusItemView::ICON_WARNING, 'yellow')
|
|
|
|
->setTarget(pht('Test Mode'))
|
|
|
|
->setNote(pht('This merchant is accepting test payments.')));
|
|
|
|
} else {
|
|
|
|
$status_view->addItem(
|
|
|
|
id(new PHUIStatusItemView())
|
|
|
|
->setIcon(PHUIStatusItemView::ICON_ACCEPT, 'green')
|
|
|
|
->setTarget(pht('Live Mode'))
|
|
|
|
->setNote(pht('This merchant is accepting live payments.')));
|
|
|
|
}
|
|
|
|
} else if ($providers) {
|
|
|
|
$status_view->addItem(
|
|
|
|
id(new PHUIStatusItemView())
|
|
|
|
->setIcon(PHUIStatusItemView::ICON_REJECT, 'red')
|
|
|
|
->setTarget(pht('No Enabled Providers'))
|
|
|
|
->setNote(
|
|
|
|
pht(
|
|
|
|
'All of the payment providers for this merchant are '.
|
|
|
|
'disabled.')));
|
|
|
|
} else {
|
|
|
|
$status_view->addItem(
|
|
|
|
id(new PHUIStatusItemView())
|
|
|
|
->setIcon(PHUIStatusItemView::ICON_WARNING, 'yellow')
|
|
|
|
->setTarget(pht('No Providers'))
|
|
|
|
->setNote(
|
|
|
|
pht(
|
|
|
|
'This merchant does not have any payment providers configured '.
|
|
|
|
'yet, so it can not accept payments. Add a provider.')));
|
|
|
|
}
|
|
|
|
|
|
|
|
$view->addProperty(pht('Status'), $status_view);
|
|
|
|
|
2014-10-13 20:13:50 +02:00
|
|
|
$this->loadHandles($merchant->getMemberPHIDs());
|
|
|
|
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Members'),
|
|
|
|
$this->renderHandlesForPHIDs($merchant->getMemberPHIDs()));
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
$view->invokeWillRenderEvent();
|
|
|
|
|
|
|
|
$description = $merchant->getDescription();
|
|
|
|
if (strlen($description)) {
|
|
|
|
$description = PhabricatorMarkupEngine::renderOneObject(
|
|
|
|
id(new PhabricatorMarkupOneOff())->setContent($description),
|
|
|
|
'default',
|
|
|
|
$viewer);
|
|
|
|
|
|
|
|
$view->addSectionHeader(pht('Description'));
|
|
|
|
$view->addTextContent($description);
|
|
|
|
}
|
|
|
|
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
return $view;
|
|
|
|
}
|
|
|
|
|
|
|
|
private function buildActionListView(PhortuneMerchant $merchant) {
|
|
|
|
$viewer = $this->getRequest()->getUser();
|
|
|
|
$id = $merchant->getID();
|
|
|
|
|
|
|
|
$can_edit = PhabricatorPolicyFilter::hasCapability(
|
|
|
|
$viewer,
|
|
|
|
$merchant,
|
|
|
|
PhabricatorPolicyCapability::CAN_EDIT);
|
|
|
|
|
|
|
|
$view = id(new PhabricatorActionListView())
|
|
|
|
->setUser($viewer)
|
|
|
|
->setObject($merchant);
|
|
|
|
|
|
|
|
$view->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
|
|
|
->setName(pht('Edit Merchant'))
|
|
|
|
->setIcon('fa-pencil')
|
|
|
|
->setDisabled(!$can_edit)
|
|
|
|
->setWorkflow(!$can_edit)
|
|
|
|
->setHref($this->getApplicationURI("merchant/edit/{$id}/")));
|
|
|
|
|
2014-10-08 23:40:02 +02:00
|
|
|
$view->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
|
|
|
->setName(pht('View Orders'))
|
|
|
|
->setIcon('fa-shopping-cart')
|
|
|
|
->setHref($this->getApplicationURI("merchant/orders/{$id}/"))
|
|
|
|
->setDisabled(!$can_edit)
|
|
|
|
->setWorkflow(!$can_edit));
|
|
|
|
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
return $view;
|
|
|
|
}
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
private function buildProviderList(
|
|
|
|
PhortuneMerchant $merchant,
|
|
|
|
array $providers) {
|
|
|
|
|
2014-10-07 23:41:41 +02:00
|
|
|
$viewer = $this->getRequest()->getUser();
|
|
|
|
$id = $merchant->getID();
|
|
|
|
|
|
|
|
$can_edit = PhabricatorPolicyFilter::hasCapability(
|
|
|
|
$viewer,
|
|
|
|
$merchant,
|
|
|
|
PhabricatorPolicyCapability::CAN_EDIT);
|
|
|
|
|
|
|
|
$provider_list = id(new PHUIObjectItemListView())
|
|
|
|
->setNoDataString(pht('This merchant has no payment providers.'));
|
|
|
|
|
|
|
|
foreach ($providers as $provider_config) {
|
|
|
|
$provider = $provider_config->buildProvider();
|
|
|
|
$provider_id = $provider_config->getID();
|
|
|
|
|
|
|
|
$item = id(new PHUIObjectItemView())
|
|
|
|
->setHeader($provider->getName());
|
|
|
|
|
2014-10-08 17:31:24 +02:00
|
|
|
if ($provider->isEnabled()) {
|
|
|
|
if ($provider->isAcceptingLivePayments()) {
|
|
|
|
$item->setBarColor('green');
|
|
|
|
} else {
|
|
|
|
$item->setBarColor('yellow');
|
|
|
|
$item->addIcon('fa-exclamation-triangle', pht('Test Mode'));
|
|
|
|
}
|
|
|
|
|
|
|
|
$item->addAttribute($provider->getConfigureProvidesDescription());
|
|
|
|
} else {
|
|
|
|
// Don't show disabled providers to users who can't manage the merchant
|
|
|
|
// account.
|
|
|
|
if (!$can_edit) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
$item->setDisabled(true);
|
|
|
|
$item->addAttribute(
|
|
|
|
phutil_tag('em', array(), pht('This payment provider is disabled.')));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if ($can_edit) {
|
|
|
|
$edit_uri = $this->getApplicationURI(
|
|
|
|
"/provider/edit/{$provider_id}/");
|
|
|
|
$disable_uri = $this->getApplicationURI(
|
|
|
|
"/provider/disable/{$provider_id}/");
|
|
|
|
|
|
|
|
if ($provider->isEnabled()) {
|
|
|
|
$disable_icon = 'fa-times';
|
|
|
|
$disable_name = pht('Disable');
|
|
|
|
} else {
|
|
|
|
$disable_icon = 'fa-check';
|
|
|
|
$disable_name = pht('Enable');
|
|
|
|
}
|
|
|
|
|
|
|
|
$item->addAction(
|
|
|
|
id(new PHUIListItemView())
|
|
|
|
->setIcon($disable_icon)
|
|
|
|
->setHref($disable_uri)
|
|
|
|
->setName($disable_name)
|
|
|
|
->setWorkflow(true));
|
|
|
|
|
|
|
|
$item->addAction(
|
|
|
|
id(new PHUIListItemView())
|
|
|
|
->setIcon('fa-pencil')
|
|
|
|
->setHref($edit_uri)
|
|
|
|
->setName(pht('Edit')));
|
|
|
|
}
|
2014-10-07 23:41:41 +02:00
|
|
|
|
|
|
|
$provider_list->addItem($item);
|
|
|
|
}
|
|
|
|
|
|
|
|
$add_action = id(new PHUIButtonView())
|
|
|
|
->setTag('a')
|
|
|
|
->setHref($this->getApplicationURI('provider/edit/?merchantID='.$id))
|
|
|
|
->setText(pht('Add Payment Provider'))
|
|
|
|
->setDisabled(!$can_edit)
|
|
|
|
->setWorkflow(!$can_edit)
|
|
|
|
->setIcon(id(new PHUIIconView())->setIconFont('fa-plus'));
|
|
|
|
|
|
|
|
$header = id(new PHUIHeaderView())
|
|
|
|
->setHeader(pht('Payment Providers'))
|
|
|
|
->addActionLink($add_action);
|
|
|
|
|
|
|
|
return id(new PHUIObjectBoxView())
|
|
|
|
->setHeader($header)
|
|
|
|
->appendChild($provider_list);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
Add Merchants to Phortune
Summary:
Ref T2787. Currently, you add payment providers (Stripe, Paypal, etc) in global configuration.
Generally, this approach is cumbersome, limiting, and often hard for users to figure out. It also doesn't provide a natural way to segment payment receivers or provide web access to administrative payment functions like issuing refunds, canceling orders, etc. I think that stuff definitely needs to be in the web UI, and the rule for access to it can't reasonably just be "all administrators" in a lot of reasonable cases.
The only real advantage is that it prevents an attacker from adjusting settings and pointing something at an account they control. But this attack can be mitigated through notifications, some sort of CLI-only merchant lock, payment accounts being relatively identifiable, etc.
So introduce "merchants", which are basically payable entities. An individual merchant will have attached Paypal, Stripe, etc., accounts, and access rules. When you buy something in an application, the merchant to pay is also specified. They also provide an umbrella for dealing with permissions down the line.
This may get a //little// cumbersome because if there are several merchants your saved card information is not shared across them. I think that will be fine in the normal case (most installs will have only one merchant). Even if it isn't and we leave providers global, I think introducing this is the right call from a web UI / permissions point of view. I'll play around with it in the next couple of diffs and figure out exactly where the line goes.
Test Plan: Listed, created, edited, viewed merchants.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T2787
Differential Revision: https://secure.phabricator.com/D10648
2014-10-07 19:55:16 +02:00
|
|
|
}
|