Some permission checks for viewing/cancelling subscriptions.

1 files changed, 12 insertions, 5 deletions

diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 9633830..1f15954 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -1,5 +1,6 @@
 class SubscriptionsController < ApplicationController
   before_filter :authorize
+  before_filter :fetch_subscription, :only => [:show, :destroy]
 
   def new
     # don't show link to subscribe if they are already subscribed?
@@ -14,18 +15,24 @@ class SubscriptionsController < ApplicationController
     end
   end
 
-  def show
-    @subscription = Braintree::Subscription.find params[:id]
-  end
-
+  # show has no content, so not needed at this point.
 
   def create
     @result = Braintree::Subscription.create( :payment_method_token => params[:payment_method_token], :plan_id => params[:plan_id] )
   end
 
   def destroy
-    # TODO add permission check
     @result = Braintree::Subscription.cancel params[:id]
   end
 
+  private
+
+  def fetch_subscription
+    @subscription = Braintree::Subscription.find params[:id]
+    subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
+    customer = Customer.find_by_user_id(current_user.id)
+    access_denied unless customer and customer.braintree_customer_id == subscription_customer_id
+    # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
+  end
+
 end