diff options
author | jessib <jessib@riseup.net> | 2013-08-08 11:48:16 -0700 |
---|---|---|
committer | jessib <jessib@riseup.net> | 2013-08-08 11:48:16 -0700 |
commit | d4283be8b1e33d30d2a1c0f638a713c5e81cc916 (patch) | |
tree | e7b28f284083eb4ac57f14d7c6a83f77621253f9 | |
parent | 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (diff) |
Still a bit hacky, but catching some more corner cases as far as setting the user variable, due to complication that an admin might be accessing data for another user.
-rw-r--r-- | billing/app/controllers/billing_base_controller.rb | 6 | ||||
-rw-r--r-- | billing/app/controllers/payments_controller.rb | 4 | ||||
-rw-r--r-- | billing/app/controllers/subscriptions_controller.rb | 4 | ||||
-rw-r--r-- | billing/app/views/customer/confirm.html.haml | 2 | ||||
-rw-r--r-- | billing/app/views/customer/edit.html.haml | 2 | ||||
-rw-r--r-- | billing/app/views/payments/confirm.html.haml | 6 | ||||
-rw-r--r-- | billing/app/views/subscriptions/destroy.html.haml | 2 | ||||
-rw-r--r-- | billing/app/views/subscriptions/show.html.haml | 3 |
8 files changed, 17 insertions, 12 deletions
diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb index f6e233b..06820a6 100644 --- a/billing/app/controllers/billing_base_controller.rb +++ b/billing/app/controllers/billing_base_controller.rb @@ -7,11 +7,15 @@ class BillingBaseController < ApplicationController def assign_user if params[:user_id] @user = User.find_by_param(params[:user_id]) - elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first + elsif params[:action] == "confirm" or params[:action] == "destroy" # confirms and subscription deletes will come back with different ID set, so check for this first # This is only for cases where an admin cannot apply action for customer, but should be all confirms @user = current_user elsif params[:id] @user = User.find_by_param(params[:id]) + else + # TODO + # hacky, what are cases where @user hasn't yet been set? certainly some cases with subscriptions and payments + @user = current_user end end diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb index 3ffc5a3..226f5a0 100644 --- a/billing/app/controllers/payments_controller.rb +++ b/billing/app/controllers/payments_controller.rb @@ -27,8 +27,8 @@ class PaymentsController < BillingBaseController def fetch_transparent_redirect - if @user = current_user #set user for navigation - if @customer = Customer.find_by_user_id(current_user.id) + if logged_in? + if @customer = Customer.find_by_user_id(@user.id) @customer.with_braintree_data! braintree_customer_id = @customer.braintree_customer_id @default_cc = @customer.default_credit_card diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index 8030c88..e5af0a3 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -30,13 +30,13 @@ class SubscriptionsController < BillingBaseController def fetch_subscription @subscription = Braintree::Subscription.find params[:id] @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer - @customer = Customer.find_by_user_id(current_user.id) + @customer = Customer.find_by_user_id(@user.id) # todo: ??? access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id) # TODO: will presumably want to allow admins to view/cancel subscriptions for all users end def confirm_no_active_subscription - @customer = Customer.find_by_user_id(current_user.id) + @customer = Customer.find_by_user_id(@user.id) if subscription = @customer.subscriptions # will return active subscription, if it exists redirect_to subscription_path(subscription.id), :notice => 'You already have an active subscription' end diff --git a/billing/app/views/customer/confirm.html.haml b/billing/app/views/customer/confirm.html.haml index 49a1e91..877a8ac 100644 --- a/billing/app/views/customer/confirm.html.haml +++ b/billing/app/views/customer/confirm.html.haml @@ -10,5 +10,5 @@ %dt Credit Card - @result.customer.credit_cards.each do |cc| %dd= cc.masked_number -- customer = Customer.find_by_user_id(current_user.id) +- customer = Customer.find_by_user_id(@user.id) = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn
\ No newline at end of file diff --git a/billing/app/views/customer/edit.html.haml b/billing/app/views/customer/edit.html.haml index 8a232c5..e882d53 100644 --- a/billing/app/views/customer/edit.html.haml +++ b/billing/app/views/customer/edit.html.haml @@ -20,4 +20,4 @@ = hidden_field_tag :tr_data, @tr_data .form-actions = f.submit t(:save_customer_info), :class => 'btn btn-primary' - = link_to t(:cancel), show_customer_path(@customer), :class=> :btn + = link_to t(:cancel), show_customer_path(@user), :class=> :btn diff --git a/billing/app/views/payments/confirm.html.haml b/billing/app/views/payments/confirm.html.haml index 9479eb9..640c30a 100644 --- a/billing/app/views/payments/confirm.html.haml +++ b/billing/app/views/payments/confirm.html.haml @@ -24,6 +24,6 @@ %tr %td Card Type: %td= h @result.transaction.credit_card_details.card_type -- if current_user - - customer = Customer.find_by_user_id(current_user.id) - = link_to 'View Customer Info', show_customer_path(customer.braintree_customer_id), :class=> :btn
\ No newline at end of file +- if logged_in? + - customer = Customer.find_by_user_id(@user.id) + = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn
\ No newline at end of file diff --git a/billing/app/views/subscriptions/destroy.html.haml b/billing/app/views/subscriptions/destroy.html.haml index e7ed6e8..44b4333 100644 --- a/billing/app/views/subscriptions/destroy.html.haml +++ b/billing/app/views/subscriptions/destroy.html.haml @@ -4,4 +4,4 @@ Error: = @result.message %p - = link_to 'Customer Information', show_customer_path(@customer.braintree_customer_id), :class=> :btn
\ No newline at end of file + = link_to 'Customer Information', show_customer_path(@user), :class=> :btn
\ No newline at end of file diff --git a/billing/app/views/subscriptions/show.html.haml b/billing/app/views/subscriptions/show.html.haml index 10eb667..ebb7e0d 100644 --- a/billing/app/views/subscriptions/show.html.haml +++ b/billing/app/views/subscriptions/show.html.haml @@ -3,4 +3,5 @@ Current Subscription = render :partial => "subscription_details", :locals => {:subscription => @subscription} -= link_to t(:cancel_subscription), subscription_path, :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show? +- if @user == current_user + = link_to t(:cancel_subscription), subscription_path(@subscription.id), :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show? |