diff options
author | jessib <jessib@leap.se> | 2013-04-16 13:27:38 -0700 |
---|---|---|
committer | Azul <azul@leap.se> | 2013-07-17 10:47:13 +0200 |
commit | 6d1e5b052f88029039164e9a586d512f55679de4 (patch) | |
tree | 0f73153620d0de5911a8859264e69be401e6f9d2 | |
parent | e4ade0f1b153553dcfb993674fd8b4ecf87121e4 (diff) |
Some permission checks for viewing/cancelling subscriptions.
-rw-r--r-- | billing/app/controllers/subscriptions_controller.rb | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index 9633830..1f15954 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -1,5 +1,6 @@ class SubscriptionsController < ApplicationController before_filter :authorize + before_filter :fetch_subscription, :only => [:show, :destroy] def new # don't show link to subscribe if they are already subscribed? @@ -14,18 +15,24 @@ class SubscriptionsController < ApplicationController end end - def show - @subscription = Braintree::Subscription.find params[:id] - end - + # show has no content, so not needed at this point. def create @result = Braintree::Subscription.create( :payment_method_token => params[:payment_method_token], :plan_id => params[:plan_id] ) end def destroy - # TODO add permission check @result = Braintree::Subscription.cancel params[:id] end + private + + def fetch_subscription + @subscription = Braintree::Subscription.find params[:id] + subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer + customer = Customer.find_by_user_id(current_user.id) + access_denied unless customer and customer.braintree_customer_id == subscription_customer_id + # TODO: will presumably want to allow admins to view/cancel subscriptions for all users + end + end |