diff options
author | jessib <jessib@riseup.net> | 2013-08-06 14:21:08 -0700 |
---|---|---|
committer | jessib <jessib@riseup.net> | 2013-08-06 14:21:08 -0700 |
commit | 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (patch) | |
tree | 501cd66ee60980711983a6860ea00fcaf2dd8639 /billing/app/controllers | |
parent | 926ab284677079c8ea02013e8af0647d3a1ce516 (diff) |
Some more tweaks to have billing code work, and allow admins to view but not edit for other users.
Diffstat (limited to 'billing/app/controllers')
5 files changed, 29 insertions, 26 deletions
diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb index 67dff72..f6e233b 100644 --- a/billing/app/controllers/billing_base_controller.rb +++ b/billing/app/controllers/billing_base_controller.rb @@ -4,12 +4,14 @@ class BillingBaseController < ApplicationController helper 'billing' # required for navigation to work. - #TODO doesn't work for admins def assign_user - if params[:id] + if params[:user_id] + @user = User.find_by_param(params[:user_id]) + elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first + # This is only for cases where an admin cannot apply action for customer, but should be all confirms + @user = current_user + elsif params[:id] @user = User.find_by_param(params[:id]) - else - @user = current_user #TODO not always correct for admins viewing another user! end end diff --git a/billing/app/controllers/credit_card_info_controller.rb b/billing/app/controllers/credit_card_info_controller.rb index 75865fe..717fa18 100644 --- a/billing/app/controllers/credit_card_info_controller.rb +++ b/billing/app/controllers/credit_card_info_controller.rb @@ -3,7 +3,7 @@ class CreditCardInfoController < ApplicationController def edit @credit_card = Braintree::CreditCard.find(params[:id]) - customer = Customer.find_by_user_id(current_user.id) + customer = Customer.find_by_user_id(@user.id) if customer and customer.braintree_customer_id == @credit_card.customer_id @tr_data = Braintree::TransparentRedirect. update_credit_card_data(:redirect_url => confirm_credit_card_info_url, @@ -27,7 +27,8 @@ class CreditCardInfoController < ApplicationController private - def set_user + def set_user + # this assumes anybody, even an admin, will not access for another user. @user = current_user end diff --git a/billing/app/controllers/customer_controller.rb b/billing/app/controllers/customer_controller.rb index f38f77e..0120e91 100644 --- a/billing/app/controllers/customer_controller.rb +++ b/billing/app/controllers/customer_controller.rb @@ -1,18 +1,18 @@ class CustomerController < BillingBaseController - before_filter :authorize + before_filter :authorize, :fetch_customer def show - if customer = fetch_customer - customer.with_braintree_data! - @default_cc = customer.default_credit_card #TODO not actually right way - @active_subscription = customer.subscriptions - @transactions = customer.braintree_customer.transactions + if @customer + @customer.with_braintree_data! + @default_cc = @customer.default_credit_card #TODO not actually right way + @active_subscription = @customer.subscriptions + @transactions = @customer.braintree_customer.transactions end end def new - if customer.has_payment_info? - redirect_to edit_customer_path(customer), :notice => 'Here is your saved customer data' + if @customer.has_payment_info? + redirect_to edit_customer_path(@user), :notice => 'Here is your saved customer data' else fetch_new_transparent_redirect_data end @@ -24,12 +24,11 @@ class CustomerController < BillingBaseController def confirm @result = Braintree::TransparentRedirect.confirm(request.query_string) - if @result.success? - customer.braintree_customer = @result.customer - customer.save + @customer.braintree_customer = @result.customer + @customer.save render :action => "confirm" - elsif customer.has_payment_info? + elsif @customer.has_payment_info? fetch_edit_transparent_redirect_data render :action => "edit" else @@ -41,16 +40,18 @@ class CustomerController < BillingBaseController protected def fetch_new_transparent_redirect_data + access_denied unless @user == current_user # admins cannot do this for others @tr_data = Braintree::TransparentRedirect. create_customer_data(:redirect_url => confirm_customer_url) end def fetch_edit_transparent_redirect_data - customer.with_braintree_data! - @default_cc = customer.default_credit_card + access_denied unless @user == current_user # admins cannot do this for others + @customer.with_braintree_data! + @default_cc = @customer.default_credit_card @tr_data = Braintree::TransparentRedirect. update_customer_data(:redirect_url => confirm_customer_url, - :customer_id => customer.braintree_customer_id) ##?? + :customer_id => @customer.braintree_customer_id) ##?? end def fetch_customer @@ -58,8 +59,6 @@ class CustomerController < BillingBaseController if @user == current_user @customer ||= Customer.new(user: @user) end - # TODO will want case for admins, presumably access_denied unless (@customer and (@customer.user == current_user)) or admin? - return @customer end end diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb index 224b78e..3ffc5a3 100644 --- a/billing/app/controllers/payments_controller.rb +++ b/billing/app/controllers/payments_controller.rb @@ -16,9 +16,10 @@ class PaymentsController < BillingBaseController end def index - customer = Customer.find_by_user_id(current_user.id) + customer = Customer.find_by_user_id(@user.id) braintree_data = Braintree::Customer.find(customer.braintree_customer_id) # these will be ordered by created_at descending, per http://stackoverflow.com/questions/16425475/ + # TODO permissions @transactions = braintree_data.transactions end diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index 38dbff1..8030c88 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -21,7 +21,7 @@ class SubscriptionsController < BillingBaseController end def index - customer = Customer.find_by_user_id(current_user.id) + customer = Customer.find_by_user_id(@user.id) @subscriptions = customer.subscriptions(nil, false) end @@ -31,7 +31,7 @@ class SubscriptionsController < BillingBaseController @subscription = Braintree::Subscription.find params[:id] @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer @customer = Customer.find_by_user_id(current_user.id) - access_denied unless @customer and @customer.braintree_customer_id == @subscription_customer_id + access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id) # TODO: will presumably want to allow admins to view/cancel subscriptions for all users end |