From 6c4fb84ee909ccdd27e04cf9f60019a2b718bca3 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Wed, 5 Jun 2013 09:11:25 +0200
Subject: [PATCH] Adding min/max threshold configuration

* Check for min/max values set for auto payouts
* Display error messages to the user
* Sanitize values just in case we fall through the validation
* Updated template and class
* New configuration option added! Update your local configs!

Fixes #108
---
 public/include/classes/user.class.php     | 21 +++++++++++++++++++--
 public/include/config/global.inc.dist.php |  4 ++++
 public/include/pages/account/edit.inc.php |  2 +-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index 2b5f093e..8db17a1e 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -241,10 +241,27 @@ class User {
   public function updateAccount($userID, $address, $threshold, $donate) {
     $this->debug->append("STA " . __METHOD__, 4);
     $bUser = false;
-    $threshold = min(250, max(0, floatval($threshold)));
-    if ($threshold < 1) $threshold = 0.0;
+
+    // number validation checks
+    if ($threshold < $this->config['ap_threshold']['min'] && $threshold != 0) {
+      $this->setErrorMessage('Threshold below configured minimum of ' . $this->config['ap_threshold']['min']);
+      return false;
+    } else if ($threshold > $this->config['ap_threshold']['max']) {
+      $this->setErrorMessage('Threshold above configured maximum of ' . $this->config['ap_threshold']['max']);
+      return false;
+    }
+    if ($donate < 0) {
+      $this->setErrorMessage('Donation below allowed 0% limit');
+      return false;
+    } else if ($donate > 100) {
+      $this->setErrorMessage('Donation above allowed 100% limit');
+      return false;
+    }
+    // Number sanitizer, just in case we fall through above
+    $threshold = min($this->config['ap_threshold']['max'], max(0, floatval($threshold)));
     $donate = min(100, max(0, floatval($donate)));
 
+    // We passed all validation checks so update the account
     $stmt = $this->mysqli->prepare("UPDATE $this->table SET coin_address = ?, ap_threshold = ?, donate_percent = ? WHERE id = ?");
     $stmt->bind_param('sddi', $address, $threshold, $donate, $userID);
     $stmt->execute();
diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php
index 2bb6069f..306d5261 100644
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@@ -25,6 +25,10 @@ $config = array(
     'url' =>     'https://btc-e.com/api/2',
     'target' =>  '/ltc_usd/ticker'
   ),
+  'ap_threshold' => array(
+    'min' => 1,
+    'max' => 250
+  ),
   'website' => array(
     'name' => 'The Pool',
     'slogan' => 'Resistance is futile',
diff --git a/public/include/pages/account/edit.inc.php b/public/include/pages/account/edit.inc.php
index 6308e271..84937115 100644
--- a/public/include/pages/account/edit.inc.php
+++ b/public/include/pages/account/edit.inc.php
@@ -49,7 +49,7 @@ if ( ! $user->checkPin($_SESSION['USERDATA']['id'], $_POST['authPin']) && $_POST
     if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success');
     } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account', 'TYPE' => 'errormsg');
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account: ' . $user->getError(), 'TYPE' => 'errormsg');
     }
     break;