Text / Numeric Quantity fields in price sets allow negative value
When using a Text / Numeric Quantity field with a unit value of $1 (set to not show the price) in a price set as a method of collecting an "additional donation" during an event registration (or membership signup), the user can input a negative number, which basically enables an unscrupulous person to register for events and memberships for free.
While I have read some issues in the old issue tracker that suggest allowing a negative value for the unit price to be by design, I don't see where allowing a negative quantity value is a use case that should be supported. At the very least, perhaps these types of fields in price sets should have a "minimum value" that can be set on the field itself, in addition to the maximum value option that's already in place? I know there's a Minimum Price field on the Price Set, but this isn't ideal as an event might have multiple prices for different event experiences e.g. conference only, conference plus food, conference plus food and lodging. Setting the minimum price on the price set to the lowest price in the event reg options would still enable an unscrupulous person to use the negative amount in a text field to get free food and lodging, using this example.
To replicate on dmaster.demo.civicrm.org:
- Create a new Event price set with a radial button price field that has one price option of $X amount (I set it to $1000) and a text / numeric quantity field with a price value of $1 and a hidden price
- Set up and event that uses this price set, I used the Paid Conference with Online Registration template as my starter and added the price set I created above
- Go to the event registration page, and be amazed that you can register for ZERO DOLLARS by entering "-1000" in the text / numeric quantity field.
And don't even get me started on how an automagic CiviDiscount appears to break the "Total Fee(s) for this participant" during this test I created. ;)
So, this might be 'by design' or even 'functioning as expected' territory, but I feel it's worth looking at something to mitigate the potential risks. Open to ideas on how to handle this. Ideas?
- Add a new field type for Price Sets called "Other Amount" that is a text / numeric field and functions the same way the "Allow Other Amounts" field works when you configure a contribution page w/o a price set
- Add a Minimum Amount parameter to Price Fields
- Decide that negative amounts should be disallowed and put form validation in place to enforce
- Other?