summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjessib <jessib@leap.se>2013-04-16 13:27:38 -0700
committerAzul <azul@leap.se>2013-07-17 10:47:13 +0200
commit6d1e5b052f88029039164e9a586d512f55679de4 (patch)
tree0f73153620d0de5911a8859264e69be401e6f9d2
parente4ade0f1b153553dcfb993674fd8b4ecf87121e4 (diff)
Some permission checks for viewing/cancelling subscriptions.
-rw-r--r--billing/app/controllers/subscriptions_controller.rb17
1 files changed, 12 insertions, 5 deletions
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 9633830..1f15954 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -1,5 +1,6 @@
class SubscriptionsController < ApplicationController
before_filter :authorize
+ before_filter :fetch_subscription, :only => [:show, :destroy]
def new
# don't show link to subscribe if they are already subscribed?
@@ -14,18 +15,24 @@ class SubscriptionsController < ApplicationController
end
end
- def show
- @subscription = Braintree::Subscription.find params[:id]
- end
-
+ # show has no content, so not needed at this point.
def create
@result = Braintree::Subscription.create( :payment_method_token => params[:payment_method_token], :plan_id => params[:plan_id] )
end
def destroy
- # TODO add permission check
@result = Braintree::Subscription.cancel params[:id]
end
+ private
+
+ def fetch_subscription
+ @subscription = Braintree::Subscription.find params[:id]
+ subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
+ customer = Customer.find_by_user_id(current_user.id)
+ access_denied unless customer and customer.braintree_customer_id == subscription_customer_id
+ # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
+ end
+
end