refactor: implement or remove BoostPurchase stub in admin modals #16

New issue

Open

opened 2026-02-20 02:40:58 +00:00 by Clotho · 0 comments

Clotho commented

2026-02-20 02:40:58 +00:00

Member

Issue

src/Website/Hub/View/Modal/Admin/BoostPurchase.php contains stub implementation waiting for Blesta integration.

Current Implementation (lines 63-70)

public function purchaseBoost(): void
{
    // TODO: Implement when Blesta is configured
    $this->dispatch('toast', type: 'info', 
        message: 'Boost purchase coming soon!');
    
    // Redirect to Blesta checkout
    $this->redirect(config('services.blesta.checkout_url') . '?boost=true');
}

Issues

Stub shows toast but also redirects - Confusing UX
Config not validated - config('services.blesta.checkout_url') could be null
URL built without validation - Query param appended without checking base URL format
TODO comment - Indicates incomplete feature

Decision Required

Option A: Implement Blesta Integration

Configure Blesta API credentials in config/services.php
Add Blesta package to composer.json

Implement proper checkout flow:

public function purchaseBoost(): void
{
    $blestaUrl = config('services.blesta.checkout_url');

    if (empty($blestaUrl)) {
        $this->dispatch('toast', type: 'error', 
            message: 'Payment system not configured.');
        return;
    }

    // Generate signed checkout URL
    $checkoutUrl = $this->blestaService->createCheckoutUrl([
        'user_id' => $this->user()->id,
        'product' => 'boost',
        'quantity' => $this->boostAmount,
    ]);

    $this->redirect($checkoutUrl);
}

Option B: Remove Feature

If boost purchase is not planned
Remove modal component entirely
Remove from admin menu
Remove blade template

Option C: Stub with External Link

If boosts purchased elsewhere (Stripe portal, etc.)
Keep modal but make it informational
Provide link to external purchase page
Remove "coming soon" messaging

Files Affected

src/Website/Hub/View/Modal/Admin/BoostPurchase.php
src/Website/Hub/View/Blade/admin/boost-purchase.blade.php
Admin menu registration (if removing)
config/services.php (if implementing)

Security Concern

Redirect URL validation (line 69):

Currently: config('services.blesta.checkout_url') . '?boost=true'
Risk: If config is user-controllable or misconfigured, could redirect to malicious site

Fix: Validate URL before redirect:

$url = config('services.blesta.checkout_url');
if (!filter_var($url, FILTER_VALIDATE_URL)) {
    throw new RuntimeException('Invalid checkout URL configured');
}
$this->redirect($url . '?boost=true');

Priority

High - Incomplete feature exposed to users.

Discovered by

Automatic codebase scan (issue #3)

## Issue `src/Website/Hub/View/Modal/Admin/BoostPurchase.php` contains stub implementation waiting for Blesta integration. ## Current Implementation (lines 63-70) ```php public function purchaseBoost(): void { // TODO: Implement when Blesta is configured $this->dispatch('toast', type: 'info', message: 'Boost purchase coming soon!'); // Redirect to Blesta checkout $this->redirect(config('services.blesta.checkout_url') . '?boost=true'); } ``` ## Issues 1. **Stub shows toast but also redirects** - Confusing UX 2. **Config not validated** - `config('services.blesta.checkout_url')` could be null 3. **URL built without validation** - Query param appended without checking base URL format 4. **TODO comment** - Indicates incomplete feature ## Decision Required **Option A: Implement Blesta Integration** - Configure Blesta API credentials in `config/services.php` - Add Blesta package to `composer.json` - Implement proper checkout flow: ```php public function purchaseBoost(): void { $blestaUrl = config('services.blesta.checkout_url'); if (empty($blestaUrl)) { $this->dispatch('toast', type: 'error', message: 'Payment system not configured.'); return; } // Generate signed checkout URL $checkoutUrl = $this->blestaService->createCheckoutUrl([ 'user_id' => $this->user()->id, 'product' => 'boost', 'quantity' => $this->boostAmount, ]); $this->redirect($checkoutUrl); } ``` **Option B: Remove Feature** - If boost purchase is not planned - Remove modal component entirely - Remove from admin menu - Remove blade template **Option C: Stub with External Link** - If boosts purchased elsewhere (Stripe portal, etc.) - Keep modal but make it informational - Provide link to external purchase page - Remove "coming soon" messaging ## Files Affected - `src/Website/Hub/View/Modal/Admin/BoostPurchase.php` - `src/Website/Hub/View/Blade/admin/boost-purchase.blade.php` - Admin menu registration (if removing) - `config/services.php` (if implementing) ## Security Concern **Redirect URL validation** (line 69): - Currently: `config('services.blesta.checkout_url') . '?boost=true'` - Risk: If config is user-controllable or misconfigured, could redirect to malicious site - Fix: Validate URL before redirect: ```php $url = config('services.blesta.checkout_url'); if (!filter_var($url, FILTER_VALIDATE_URL)) { throw new RuntimeException('Invalid checkout URL configured'); } $this->redirect($url . '?boost=true'); ``` ## Priority **High** - Incomplete feature exposed to users. ## Discovered by Automatic codebase scan (issue #3)