summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjessib <jessib@riseup.net>2013-08-08 11:48:16 -0700
committerjessib <jessib@riseup.net>2013-08-08 11:48:16 -0700
commitd4283be8b1e33d30d2a1c0f638a713c5e81cc916 (patch)
treee7b28f284083eb4ac57f14d7c6a83f77621253f9
parent6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (diff)
Still a bit hacky, but catching some more corner cases as far as setting the user variable, due to complication that an admin might be accessing data for another user.
-rw-r--r--billing/app/controllers/billing_base_controller.rb6
-rw-r--r--billing/app/controllers/payments_controller.rb4
-rw-r--r--billing/app/controllers/subscriptions_controller.rb4
-rw-r--r--billing/app/views/customer/confirm.html.haml2
-rw-r--r--billing/app/views/customer/edit.html.haml2
-rw-r--r--billing/app/views/payments/confirm.html.haml6
-rw-r--r--billing/app/views/subscriptions/destroy.html.haml2
-rw-r--r--billing/app/views/subscriptions/show.html.haml3
8 files changed, 17 insertions, 12 deletions
diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb
index f6e233b..06820a6 100644
--- a/billing/app/controllers/billing_base_controller.rb
+++ b/billing/app/controllers/billing_base_controller.rb
@@ -7,11 +7,15 @@ class BillingBaseController < ApplicationController
def assign_user
if params[:user_id]
@user = User.find_by_param(params[:user_id])
- elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first
+ elsif params[:action] == "confirm" or params[:action] == "destroy" # confirms and subscription deletes will come back with different ID set, so check for this first
# This is only for cases where an admin cannot apply action for customer, but should be all confirms
@user = current_user
elsif params[:id]
@user = User.find_by_param(params[:id])
+ else
+ # TODO
+ # hacky, what are cases where @user hasn't yet been set? certainly some cases with subscriptions and payments
+ @user = current_user
end
end
diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb
index 3ffc5a3..226f5a0 100644
--- a/billing/app/controllers/payments_controller.rb
+++ b/billing/app/controllers/payments_controller.rb
@@ -27,8 +27,8 @@ class PaymentsController < BillingBaseController
def fetch_transparent_redirect
- if @user = current_user #set user for navigation
- if @customer = Customer.find_by_user_id(current_user.id)
+ if logged_in?
+ if @customer = Customer.find_by_user_id(@user.id)
@customer.with_braintree_data!
braintree_customer_id = @customer.braintree_customer_id
@default_cc = @customer.default_credit_card
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 8030c88..e5af0a3 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -30,13 +30,13 @@ class SubscriptionsController < BillingBaseController
def fetch_subscription
@subscription = Braintree::Subscription.find params[:id]
@subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
- @customer = Customer.find_by_user_id(current_user.id)
+ @customer = Customer.find_by_user_id(@user.id) # todo: ???
access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id)
# TODO: will presumably want to allow admins to view/cancel subscriptions for all users
end
def confirm_no_active_subscription
- @customer = Customer.find_by_user_id(current_user.id)
+ @customer = Customer.find_by_user_id(@user.id)
if subscription = @customer.subscriptions # will return active subscription, if it exists
redirect_to subscription_path(subscription.id), :notice => 'You already have an active subscription'
end
diff --git a/billing/app/views/customer/confirm.html.haml b/billing/app/views/customer/confirm.html.haml
index 49a1e91..877a8ac 100644
--- a/billing/app/views/customer/confirm.html.haml
+++ b/billing/app/views/customer/confirm.html.haml
@@ -10,5 +10,5 @@
%dt Credit Card
- @result.customer.credit_cards.each do |cc|
%dd= cc.masked_number
-- customer = Customer.find_by_user_id(current_user.id)
+- customer = Customer.find_by_user_id(@user.id)
= link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn \ No newline at end of file
diff --git a/billing/app/views/customer/edit.html.haml b/billing/app/views/customer/edit.html.haml
index 8a232c5..e882d53 100644
--- a/billing/app/views/customer/edit.html.haml
+++ b/billing/app/views/customer/edit.html.haml
@@ -20,4 +20,4 @@
= hidden_field_tag :tr_data, @tr_data
.form-actions
= f.submit t(:save_customer_info), :class => 'btn btn-primary'
- = link_to t(:cancel), show_customer_path(@customer), :class=> :btn
+ = link_to t(:cancel), show_customer_path(@user), :class=> :btn
diff --git a/billing/app/views/payments/confirm.html.haml b/billing/app/views/payments/confirm.html.haml
index 9479eb9..640c30a 100644
--- a/billing/app/views/payments/confirm.html.haml
+++ b/billing/app/views/payments/confirm.html.haml
@@ -24,6 +24,6 @@
%tr
%td Card Type:
%td= h @result.transaction.credit_card_details.card_type
-- if current_user
- - customer = Customer.find_by_user_id(current_user.id)
- = link_to 'View Customer Info', show_customer_path(customer.braintree_customer_id), :class=> :btn \ No newline at end of file
+- if logged_in?
+ - customer = Customer.find_by_user_id(@user.id)
+ = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn \ No newline at end of file
diff --git a/billing/app/views/subscriptions/destroy.html.haml b/billing/app/views/subscriptions/destroy.html.haml
index e7ed6e8..44b4333 100644
--- a/billing/app/views/subscriptions/destroy.html.haml
+++ b/billing/app/views/subscriptions/destroy.html.haml
@@ -4,4 +4,4 @@
Error:
= @result.message
%p
- = link_to 'Customer Information', show_customer_path(@customer.braintree_customer_id), :class=> :btn \ No newline at end of file
+ = link_to 'Customer Information', show_customer_path(@user), :class=> :btn \ No newline at end of file
diff --git a/billing/app/views/subscriptions/show.html.haml b/billing/app/views/subscriptions/show.html.haml
index 10eb667..ebb7e0d 100644
--- a/billing/app/views/subscriptions/show.html.haml
+++ b/billing/app/views/subscriptions/show.html.haml
@@ -3,4 +3,5 @@
Current
Subscription
= render :partial => "subscription_details", :locals => {:subscription => @subscription}
-= link_to t(:cancel_subscription), subscription_path, :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show?
+- if @user == current_user
+ = link_to t(:cancel_subscription), subscription_path(@subscription.id), :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show?