diff options
| author | jessib <jessib@riseup.net> | 2013-08-08 11:48:16 -0700 |
|---|---|---|
| committer | jessib <jessib@riseup.net> | 2013-08-08 11:48:16 -0700 |
| commit | d4283be8b1e33d30d2a1c0f638a713c5e81cc916 (patch) | |
| tree | e7b28f284083eb4ac57f14d7c6a83f77621253f9 /billing/app/controllers | |
| parent | 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (diff) | |
Still a bit hacky, but catching some more corner cases as far as setting the user variable, due to complication that an admin might be accessing data for another user.
Diffstat (limited to 'billing/app/controllers')
| -rw-r--r-- | billing/app/controllers/billing_base_controller.rb | 6 | ||||
| -rw-r--r-- | billing/app/controllers/payments_controller.rb | 4 | ||||
| -rw-r--r-- | billing/app/controllers/subscriptions_controller.rb | 4 |
3 files changed, 9 insertions, 5 deletions
diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb index f6e233b..06820a6 100644 --- a/billing/app/controllers/billing_base_controller.rb +++ b/billing/app/controllers/billing_base_controller.rb @@ -7,11 +7,15 @@ class BillingBaseController < ApplicationController def assign_user if params[:user_id] @user = User.find_by_param(params[:user_id]) - elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first + elsif params[:action] == "confirm" or params[:action] == "destroy" # confirms and subscription deletes will come back with different ID set, so check for this first # This is only for cases where an admin cannot apply action for customer, but should be all confirms @user = current_user elsif params[:id] @user = User.find_by_param(params[:id]) + else + # TODO + # hacky, what are cases where @user hasn't yet been set? certainly some cases with subscriptions and payments + @user = current_user end end diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb index 3ffc5a3..226f5a0 100644 --- a/billing/app/controllers/payments_controller.rb +++ b/billing/app/controllers/payments_controller.rb @@ -27,8 +27,8 @@ class PaymentsController < BillingBaseController def fetch_transparent_redirect - if @user = current_user #set user for navigation - if @customer = Customer.find_by_user_id(current_user.id) + if logged_in? + if @customer = Customer.find_by_user_id(@user.id) @customer.with_braintree_data! braintree_customer_id = @customer.braintree_customer_id @default_cc = @customer.default_credit_card diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index 8030c88..e5af0a3 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -30,13 +30,13 @@ class SubscriptionsController < BillingBaseController def fetch_subscription @subscription = Braintree::Subscription.find params[:id] @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer - @customer = Customer.find_by_user_id(current_user.id) + @customer = Customer.find_by_user_id(@user.id) # todo: ??? access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id) # TODO: will presumably want to allow admins to view/cancel subscriptions for all users end def confirm_no_active_subscription - @customer = Customer.find_by_user_id(current_user.id) + @customer = Customer.find_by_user_id(@user.id) if subscription = @customer.subscriptions # will return active subscription, if it exists redirect_to subscription_path(subscription.id), :notice => 'You already have an active subscription' end |