Clean CC sensible data on Gold subscriptions (#4291)

* Clean CC sensible data on Gold subscriptions

`PaymentView.submit_form` function removes all CC sensible data.

This function is used for `GoldView` in this repo and also for
`DonateView` in -ext repo.

Since the behavior is shared across them, it's better to modify the
parent's function and remove the override from the children.

* Standardize `card_digits` and `last_4_digits`

Use `last_4_card_digits` to avoid confusion and express exactly what
it contains.

* Rename auto named migration

Author: humitos

readthedocs/gold/forms.py

@@ -23,14 +23,14 @@ class GoldSubscriptionForm(StripeResourceMixin, StripeModelForm):
 
     class Meta(object):
         model = GoldUser
-        fields = ['last_4_digits', 'level']
+        fields = ['last_4_card_digits', 'level']
 
-    last_4_digits = forms.CharField(
+    last_4_card_digits = forms.CharField(
         required=True,
         min_length=4,
         max_length=4,
         widget=forms.HiddenInput(attrs={
-            'data-bind': 'valueInit: card_digits, value: card_digits'
+            'data-bind': 'valueInit: last_4_card_digits, value: last_4_card_digits',
         })
     )
 
@@ -73,10 +73,6 @@ def get_subscription(self):
             )
             return subscription
 
-    def clear_card_data(self):
-        super(GoldSubscriptionForm, self).clear_card_data()
-        self.data['last_4_digits'] = None
-
 
 class GoldProjectForm(forms.Form):
     project = forms.CharField(

readthedocs/gold/migrations/0002_rename_last_4_digits.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.9.13 on 2018-07-16 15:45
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('gold', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='golduser',
+            old_name='last_4_digits',
+            new_name='last_4_card_digits',
+        ),
+    ]

readthedocs/gold/models.py

@@ -39,7 +39,7 @@ class GoldUser(models.Model):
     projects = models.ManyToManyField(Project, verbose_name=_('Projects'),
                                       related_name='gold_owners')
 
-    last_4_digits = models.CharField(max_length=4)
+    last_4_card_digits = models.CharField(max_length=4)
     stripe_id = models.CharField(max_length=255)
     subscribed = models.BooleanField(default=False)
 

readthedocs/gold/static-src/gold/js/gold.js

@@ -10,7 +10,7 @@ function GoldView(config) {
 
     self.constructor.call(self, config);
 
-    self.last_4_digits = ko.observable(null);
+    self.last_4_card_digits = ko.observable(null);
 }
 
 GoldView.prototype = new payment.PaymentView();
@@ -22,10 +22,4 @@ GoldView.init = function (config, obj) {
     return view;
 };
 
-GoldView.prototype.submit_form = function (card_digits, token) {
-    this.form.find('#id_last_4_digits').val(card_digits);
-    this.form.find('#id_stripe_token').val(token);
-    this.form.submit();
-};
-
 module.exports.GoldView = GoldView;

readthedocs/gold/templates/gold/subscription_detail.html

@@ -43,7 +43,7 @@ <h2>{% trans "Gold Subscription" %}</h2>
 
     <p class="subscription-detail subscription-detail-card">
       <label>{% trans "Card" %}:</label>
-      <span>****-{{ golduser.last_4_digits }}</span>
+      <span>****-{{ golduser.last_4_card_digits }}</span>
     </p>
 
     <form method="get" action="{% url "gold_subscription" %}" class="subscription-update">

readthedocs/gold/templates/gold/subscription_form.html

@@ -103,12 +103,12 @@ <h3>{{ subscription_title }}</h3>
     {% for field in form.fields_with_cc_group %}
       {% if field.is_cc_group %}
         <p
-            data-bind="visible: card_digits"
+            data-bind="visible: last_4_card_digits"
             style="display: none;"
             class="subscription-card">
           <label>{% trans "Current card" %}:</label>
           <span class="subscription-card-number">
-            ****-<span data-bind="text: card_digits"></span>
+            ****-<span data-bind="text: last_4_card_digits"></span>
           </span>
         </p>
 

readthedocs/gold/tests/test_forms.py

@@ -67,7 +67,7 @@ def test_add_subscription(self):
         # Create user and subscription
         subscription_form = GoldSubscriptionForm(
             {'level': 'v1-org-5',
-             'last_4_digits': '0000',
+             'last_4_card_digits': '0000',
              'stripe_token': 'GARYBUSEY'},
             customer=self.user
         )
@@ -132,7 +132,7 @@ def test_add_subscription_update_user(self):
         golduser = fixture.get(GoldUser, user=self.user, stripe_id='cus_12345')
         subscription_form = GoldSubscriptionForm(
             {'level': 'v1-org-5',
-             'last_4_digits': '0000',
+             'last_4_card_digits': '0000',
              'stripe_token': 'GARYBUSEY'},
             customer=self.user,
             instance=golduser
@@ -198,7 +198,7 @@ def test_update_subscription_plan(self):
         ])
         subscription_form = GoldSubscriptionForm(
             {'level': 'v1-org-5',
-             'last_4_digits': '0000',
+             'last_4_card_digits': '0000',
              'stripe_token': 'GARYBUSEY'},
             customer=self.user
         )

readthedocs/payments/static-src/payments/js/base.js

@@ -37,13 +37,13 @@ function PaymentView (config) {
     self.error_cc_cvv = ko.observable(null);
 
     self.stripe_token = ko.observable(null);
-    self.card_digits = ko.observable(null);
+    self.last_4_card_digits = ko.observable(null);
 
     // Form editing
     self.is_editing_card = ko.observable(false);
     self.show_card_form = ko.computed(function () {
         return (self.is_editing_card() ||
-                !self.card_digits() ||
+                !self.last_4_card_digits() ||
                 self.cc_number() ||
                 self.cc_expiry() ||
                 self.cc_cvv());
@@ -122,9 +122,15 @@ function PaymentView (config) {
 
 }
 
-PaymentView.prototype.submit_form = function (card_digits, token) {
-    this.form.find('#id_card_digits').val(card_digits);
+PaymentView.prototype.submit_form = function (last_4_card_digits, token) {
+    this.form.find('#id_last_4_card_digits').val(last_4_card_digits);
     this.form.find('#id_stripe_token').val(token);
+
+    // Delete all user's card information before sending them to our servers
+    this.form.find('#id_cc_number').val(null);
+    this.form.find('#id_cc_expiry').val(null);
+    this.form.find('#id_cc_cvv').val(null);
+
     this.form.submit();
 };