Refs #1052 -- Added max_value validation to donations.

Stripe's API rejects very large values. Sentry reports folks enjoying spending the weekend entering such large values. So reject as invalid, and show an appropriate alert before attempting to contact Stripe.
author: Carlton Gibson <carlton@noumenal.es> 2021-03-09 14:13:23 +0100
committer: GitHub <noreply@github.com> 2021-03-09 14:13:23 +0100
commit: 4abe4ec053e4073ed3b48006066de2ecd9719346 (patch)
tree: 619d89c9a4567e6ac8119cb7488a3d6e3c1a07b0 /fundraising
parent: c975e96e38bf54bd967304bbf6135540208f6ab9 (diff)
2 files changed, 11 insertions, 0 deletions
diff --git a/fundraising/forms.py b/fundraising/forms.py
index 7e269cd2..b6c5970c 100644
--- a/fundraising/forms.py
+++ b/fundraising/forms.py
@@ -165,6 +165,7 @@ class PaymentForm(forms.Form):
     amount = forms.IntegerField(
         required=True,
         min_value=1,  # Minimum payment from Stripe API
+        max_value=1_000_000,  # Reject clearly unrealistic amounts.
     )
     interval = forms.ChoiceField(
         required=True,
diff --git a/fundraising/tests/test_forms.py b/fundraising/tests/test_forms.py
index d66d6b51..09744441 100644
--- a/fundraising/tests/test_forms.py
+++ b/fundraising/tests/test_forms.py
@@ -10,3 +10,13 @@ class TestPaymentForm(TestCase):
             'interval': 'onetime',
         })
         self.assertTrue(form.is_valid())
+
+    def test_max_value_validation(self):
+        """
+        Reject unrealistic values greater than $1,000,000.
+        """
+        form = PaymentForm(data={
+            'amount': 1_000_001,
+            'interval': 'onetime',
+        })
+        self.assertFalse(form.is_valid())
author	Carlton Gibson <carlton@noumenal.es>	2021-03-09 14:13:23 +0100
committer	GitHub <noreply@github.com>	2021-03-09 14:13:23 +0100
commit	4abe4ec053e4073ed3b48006066de2ecd9719346 (patch)
tree	619d89c9a4567e6ac8119cb7488a3d6e3c1a07b0 /fundraising
parent	c975e96e38bf54bd967304bbf6135540208f6ab9 (diff)