rework epay callback validation

shop/epay.py

@@ -17,3 +17,12 @@ def calculate_epay_hash(order, request):
     epay_hash = hashlib.md5(hashstring).hexdigest()
     return epay_hash
 
+
+def validate_epay_callback(query):
+    hashstring = ''
+    for key, value in query.iteritems():
+        if key != 'hash':
+            hashstring += value
+    hash = hashlib.md5(hashstring).hexdigest()
+    return hash == query['hash']
+

shop/views.py

@@ -23,7 +23,7 @@ from shop.models import (
     EpayCallback,
 )
 from .forms import AddToOrderForm
-from .epay import calculate_epay_hash
+from .epay import calculate_epay_hash, validate_epay_callback
 
 
 class EnsureUserOwnsOrderMixin(SingleObjectMixin):
@@ -279,8 +279,8 @@ class EpayCallbackView(View):
             )
             order = get_object_or_404(Order, pk=query.get('orderid'))
 
-            epay_hash = calculate_epay_hash(order, request)
+            if not validate_epay_callback(query):
-            if not epay_hash == query.get('hash'):
+                print "bad epay callback!"
                 return HttpResponse(status=400)
 
             EpayPayment.objects.create(