diff options
author | jessib <jessib@riseup.net> | 2013-08-08 11:48:16 -0700 |
---|---|---|
committer | jessib <jessib@riseup.net> | 2013-08-08 11:48:16 -0700 |
commit | d4283be8b1e33d30d2a1c0f638a713c5e81cc916 (patch) | |
tree | e7b28f284083eb4ac57f14d7c6a83f77621253f9 /billing/app | |
parent | 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f (diff) |
Still a bit hacky, but catching some more corner cases as far as setting the user variable, due to complication that an admin might be accessing data for another user.
Diffstat (limited to 'billing/app')
-rw-r--r-- | billing/app/controllers/billing_base_controller.rb | 6 | ||||
-rw-r--r-- | billing/app/controllers/payments_controller.rb | 4 | ||||
-rw-r--r-- | billing/app/controllers/subscriptions_controller.rb | 4 | ||||
-rw-r--r-- | billing/app/views/customer/confirm.html.haml | 2 | ||||
-rw-r--r-- | billing/app/views/customer/edit.html.haml | 2 | ||||
-rw-r--r-- | billing/app/views/payments/confirm.html.haml | 6 | ||||
-rw-r--r-- | billing/app/views/subscriptions/destroy.html.haml | 2 | ||||
-rw-r--r-- | billing/app/views/subscriptions/show.html.haml | 3 |
8 files changed, 17 insertions, 12 deletions
diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb index f6e233b..06820a6 100644 --- a/billing/app/controllers/billing_base_controller.rb +++ b/billing/app/controllers/billing_base_controller.rb @@ -7,11 +7,15 @@ class BillingBaseController < ApplicationController def assign_user if params[:user_id] @user = User.find_by_param(params[:user_id]) - elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first + elsif params[:action] == "confirm" or params[:action] == "destroy" # confirms and subscription deletes will come back with different ID set, so check for this first # This is only for cases where an admin cannot apply action for customer, but should be all confirms @user = current_user elsif params[:id] @user = User.find_by_param(params[:id]) + else + # TODO + # hacky, what are cases where @user hasn't yet been set? certainly some cases with subscriptions and payments + @user = current_user end end diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb index 3ffc5a3..226f5a0 100644 --- a/billing/app/controllers/payments_controller.rb +++ b/billing/app/controllers/payments_controller.rb @@ -27,8 +27,8 @@ class PaymentsController < BillingBaseController def fetch_transparent_redirect - if @user = current_user #set user for navigation - if @customer = Customer.find_by_user_id(current_user.id) + if logged_in? + if @customer = Customer.find_by_user_id(@user.id) @customer.with_braintree_data! braintree_customer_id = @customer.braintree_customer_id @default_cc = @customer.default_credit_card diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index 8030c88..e5af0a3 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -30,13 +30,13 @@ class SubscriptionsController < BillingBaseController def fetch_subscription @subscription = Braintree::Subscription.find params[:id] @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer - @customer = Customer.find_by_user_id(current_user.id) + @customer = Customer.find_by_user_id(@user.id) # todo: ??? access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id) # TODO: will presumably want to allow admins to view/cancel subscriptions for all users end def confirm_no_active_subscription - @customer = Customer.find_by_user_id(current_user.id) + @customer = Customer.find_by_user_id(@user.id) if subscription = @customer.subscriptions # will return active subscription, if it exists redirect_to subscription_path(subscription.id), :notice => 'You already have an active subscription' end diff --git a/billing/app/views/customer/confirm.html.haml b/billing/app/views/customer/confirm.html.haml index 49a1e91..877a8ac 100644 --- a/billing/app/views/customer/confirm.html.haml +++ b/billing/app/views/customer/confirm.html.haml @@ -10,5 +10,5 @@ %dt Credit Card - @result.customer.credit_cards.each do |cc| %dd= cc.masked_number -- customer = Customer.find_by_user_id(current_user.id) +- customer = Customer.find_by_user_id(@user.id) = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn
\ No newline at end of file diff --git a/billing/app/views/customer/edit.html.haml b/billing/app/views/customer/edit.html.haml index 8a232c5..e882d53 100644 --- a/billing/app/views/customer/edit.html.haml +++ b/billing/app/views/customer/edit.html.haml @@ -20,4 +20,4 @@ = hidden_field_tag :tr_data, @tr_data .form-actions = f.submit t(:save_customer_info), :class => 'btn btn-primary' - = link_to t(:cancel), show_customer_path(@customer), :class=> :btn + = link_to t(:cancel), show_customer_path(@user), :class=> :btn diff --git a/billing/app/views/payments/confirm.html.haml b/billing/app/views/payments/confirm.html.haml index 9479eb9..640c30a 100644 --- a/billing/app/views/payments/confirm.html.haml +++ b/billing/app/views/payments/confirm.html.haml @@ -24,6 +24,6 @@ %tr %td Card Type: %td= h @result.transaction.credit_card_details.card_type -- if current_user - - customer = Customer.find_by_user_id(current_user.id) - = link_to 'View Customer Info', show_customer_path(customer.braintree_customer_id), :class=> :btn
\ No newline at end of file +- if logged_in? + - customer = Customer.find_by_user_id(@user.id) + = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn
\ No newline at end of file diff --git a/billing/app/views/subscriptions/destroy.html.haml b/billing/app/views/subscriptions/destroy.html.haml index e7ed6e8..44b4333 100644 --- a/billing/app/views/subscriptions/destroy.html.haml +++ b/billing/app/views/subscriptions/destroy.html.haml @@ -4,4 +4,4 @@ Error: = @result.message %p - = link_to 'Customer Information', show_customer_path(@customer.braintree_customer_id), :class=> :btn
\ No newline at end of file + = link_to 'Customer Information', show_customer_path(@user), :class=> :btn
\ No newline at end of file diff --git a/billing/app/views/subscriptions/show.html.haml b/billing/app/views/subscriptions/show.html.haml index 10eb667..ebb7e0d 100644 --- a/billing/app/views/subscriptions/show.html.haml +++ b/billing/app/views/subscriptions/show.html.haml @@ -3,4 +3,5 @@ Current Subscription = render :partial => "subscription_details", :locals => {:subscription => @subscription} -= link_to t(:cancel_subscription), subscription_path, :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show? +- if @user == current_user + = link_to t(:cancel_subscription), subscription_path(@subscription.id), :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show? |