Some more tweaks to have billing code work, and allow admins to view but not edit for other users.

author: jessib <jessib@riseup.net> 2013-08-06 14:21:08 -0700
committer: jessib <jessib@riseup.net> 2013-08-06 14:21:08 -0700
commit: 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (patch)
tree: 501cd66ee60980711983a6860ea00fcaf2dd8639 /billing/app/controllers/subscriptions_controller.rb
parent: 926ab284677079c8ea02013e8af0647d3a1ce516 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 38dbff1..8030c88 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -21,7 +21,7 @@ class SubscriptionsController < BillingBaseController
   end
 
   def index
-    customer = Customer.find_by_user_id(current_user.id)
+    customer = Customer.find_by_user_id(@user.id)
     @subscriptions = customer.subscriptions(nil, false)
   end
 
@@ -31,7 +31,7 @@ class SubscriptionsController < BillingBaseController
     @subscription = Braintree::Subscription.find params[:id]
     @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
     @customer = Customer.find_by_user_id(current_user.id)
-    access_denied unless @customer and @customer.braintree_customer_id == @subscription_customer_id
+    access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id)
     # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
   end
author	jessib <jessib@riseup.net>	2013-08-06 14:21:08 -0700
committer	jessib <jessib@riseup.net>	2013-08-06 14:21:08 -0700
commit	6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (patch)
tree	501cd66ee60980711983a6860ea00fcaf2dd8639 /billing/app/controllers/subscriptions_controller.rb
parent	926ab284677079c8ea02013e8af0647d3a1ce516 (diff)