Add redirect capabilities to Invest Controller

Resources/defaults.yml

@@ -81,6 +81,9 @@ url:
             - /password-reset
             - /signup
 
+    # Domains that are allowed by the application to redirect to outside of the platform.
+    allowed_domains:
+
     # If you want to use a CDN or another web server to serve the cached images
     # You can define this constants. All cached images links will point to this
     # Url, event if don't exists yet.

src/Goteo/Application/Event/FilterInvestFinishEvent.php

@@ -14,6 +14,8 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Contracts\EventDispatcher\Event;
+use Goteo\Application\Session;
+use Goteo\Library\Domain;
 use Goteo\Model\Invest;
 
 class FilterInvestFinishEvent extends Event
@@ -46,6 +48,13 @@ public function setHttpResponse(Response $response)
 
     public function getHttpResponse() {
         if($this->response) return $this->response;
+
+        $return_to = Session::get('return_to');
+        if ($return_to && Domain::isAllowedDomain($return_to)) {
+            Session::del('return_to');
+            return new RedirectResponse($return_to);
+        }
+
         // Default is a redirection
         if($this->invest->project) {
             return new RedirectResponse('/invest/' . $this->invest->project . '/' . $this->invest->id . '/share');
@@ -57,4 +66,5 @@ public function getHttpResponse() {
             return new RedirectResponse('/donate/'  . $this->invest->id . '/share');
         }
     }
+
 }

src/Goteo/Controller/InvestController.php

@@ -23,6 +23,7 @@
 use Goteo\Application\Session;
 use Goteo\Application\View;
 use Goteo\Core\Controller;
+use Goteo\Library\Domain;
 use Goteo\Library\Text;
 use Goteo\Model\Invest;
 use Goteo\Model\Project;
@@ -73,7 +74,7 @@ protected function getUser(): ?User
      * the skip_login variable from project configuration
      */
     private function validate(
-        $project_id, $reward_id = null, &$custom_amount = null, $invest = null, $login_required = true
+        $project_id, $reward_id = null, &$custom_amount = null, $invest = null, $login_required = true, ?Request $request = null
     ) {
         $project = Project::get($project_id, Lang::current());
         // Add analytics to config
@@ -96,11 +97,23 @@ private function validate(
             Config::get('currency')
         );
 
+        if ($request) {
+            $return_to = '';
+
+            if ($request->query->has('return_to')) {
+                $return_to = rawurldecode($request->query->get('return_to'));
+
+                if (Domain::isAllowedDomain($return_to))
+                    Session::store('return_to', $return_to);
+            }
+        }
+
         $this->page = '/invest/' . $project_id;
         $this->query = http_build_query([
             'amount' => "$amount_original$currency",
             'reward' => $reward_id,
-            'donate_amount' => "$donate_amount$currency"
+            'donate_amount' => "$donate_amount$currency",
+            'return_to' => $return_to
         ]);
 
         // Some projects may have activated a non-registering investion
@@ -243,7 +256,7 @@ public function selectRewardAction($project_id, Request $request): Response
     {
         // TODO: add events
         $amount = $request->query->get('amount');
-        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, false);
+        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, false, $request);
         if($reward instanceOf Response) return $reward;
 
         // Aqui cambiar por escoger recompensa
@@ -260,7 +273,7 @@ public function selectRewardAction($project_id, Request $request): Response
     public function loginAction($project_id, Request $request)
     {
         $amount = $request->query->get('amount');
-        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, false);
+        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, false, $request);
 
         if($reward instanceOf Response) return $reward;
         if(!$request->query->has('return')) {
@@ -282,7 +295,7 @@ public function loginAction($project_id, Request $request)
     public function signupAction($project_id, Request $request)
     {
         $amount = $request->query->get('amount');
-        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, false);
+        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, false, $request);
 
         if($reward instanceOf Response) return $reward;
         if(!$request->query->has('return')) {
@@ -307,7 +320,7 @@ public function selectPaymentMethodAction(Request $request, $project_id)
         $amount = $request->query->get('amount');
         $donate_amount = $request->query->getInt('donate_amount', Config::get('donate.tip_amount'));
         $email = $request->query->has('email');
-        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, 'auto');
+        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, 'auto', $request);
 
         if(!($this->skip_login && $email) && !Session::isLogged()) {
             return $this->redirect('/invest/' . $project_id . '/signup?' . $this->query);
@@ -346,7 +359,7 @@ public function paymentFormAction($project_id, Request $request) {
         $tip=$request->query->get('tip');
         $donate_amount =  $tip ? $request->query->get('donate_amount') : 0;
         $amount = $amount_original = $request->query->get('amount');
-        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, 'auto');
+        $reward = $this->validate($project_id, $request->query->get('reward'), $amount, null, 'auto', $request);
 
         if($reward instanceOf Response) return $reward;
 
@@ -601,13 +614,15 @@ public function userDataAction($project_id, $invest_id, Request $request)
                     }
                 }
                 $invest->extra_info = $invest_address['extra_info'];
-                $invest->save();
+                $invest->save($errors);
 
-                if($ok && $invest->setAddress($invest_address)) {
+                $isAddressValid = $invest->setAddress($invest_address);
+                if($ok && $isAddressValid) {
                     return $this->dispatch(AppEvents::INVEST_FINISHED, new FilterInvestFinishEvent($invest, $request))->getHttpResponse();
                 }
             }
             Message::error(Text::get('invest-address-fail'));
+            Message::error(implode(',', $errors));
         }
 
         return $this->viewResponse(

src/Goteo/Library/Domain.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace Goteo\Library;
+
+use Goteo\Application\Config;
+use Goteo\Application\Config\ConfigException;
+
+class Domain
+{
+    public static function isAllowedDomain(string $domain): bool
+    {
+        try {
+            $domains = Config::get('url.allowed_domains');
+        } catch (ConfigException $e) {
+            return false;
+        }
+
+        if (empty($domains))
+            return false;
+
+        $parse = parse_url($domain, PHP_URL_HOST);
+        if (!$parse)
+            return false;
+
+        $validDomains = array_filter($domains, function ($domain) use ($parse) {
+            $parsedDomain = parse_url($domain);
+            if (!$parsedDomain['scheme'])
+                return $parsedDomain['path'] == $parse;
+
+            return $parsedDomain['host'] == $parse;
+        });
+
+        return !empty($validDomains);
+    }
+}