Still a bit hacky, but catching some more corner cases as far as setting the user variable, due to complication that an admin might be accessing data for another user.

8 files changed, 17 insertions, 12 deletions

diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb
index f6e233b..06820a6 100644
--- a/billing/app/controllers/billing_base_controller.rb
+++ b/billing/app/controllers/billing_base_controller.rb
@@ -7,11 +7,15 @@ class BillingBaseController < ApplicationController
   def assign_user
     if params[:user_id]
       @user = User.find_by_param(params[:user_id])
-    elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first 
+    elsif params[:action] == "confirm" or params[:action] == "destroy" # confirms and subscription deletes will come back with different ID set, so check for this first
       # This is only for cases where an admin cannot apply action for customer, but should be all confirms
       @user = current_user
     elsif params[:id]
       @user = User.find_by_param(params[:id])
+    else
+      # TODO
+      # hacky, what are cases where @user hasn't yet been set? certainly some cases with subscriptions and payments
+      @user = current_user
     end
   end
 
diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb
index 3ffc5a3..226f5a0 100644
--- a/billing/app/controllers/payments_controller.rb
+++ b/billing/app/controllers/payments_controller.rb
@@ -27,8 +27,8 @@ class PaymentsController < BillingBaseController
 
 
   def fetch_transparent_redirect
-    if @user = current_user #set user for navigation
-      if @customer = Customer.find_by_user_id(current_user.id)
+    if logged_in?
+      if @customer = Customer.find_by_user_id(@user.id)
         @customer.with_braintree_data!
         braintree_customer_id = @customer.braintree_customer_id
         @default_cc = @customer.default_credit_card
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 8030c88..e5af0a3 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -30,13 +30,13 @@ class SubscriptionsController < BillingBaseController
   def fetch_subscription
     @subscription = Braintree::Subscription.find params[:id]
     @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
-    @customer = Customer.find_by_user_id(current_user.id)
+    @customer = Customer.find_by_user_id(@user.id) # todo: ???
     access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id)
     # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
   end
 
   def confirm_no_active_subscription
-    @customer = Customer.find_by_user_id(current_user.id)
+    @customer = Customer.find_by_user_id(@user.id)
     if subscription = @customer.subscriptions # will return active subscription, if it exists
       redirect_to subscription_path(subscription.id), :notice => 'You already have an active subscription'
     end
diff --git a/billing/app/views/customer/confirm.html.haml b/billing/app/views/customer/confirm.html.haml
index 49a1e91..877a8ac 100644
--- a/billing/app/views/customer/confirm.html.haml
+++ b/billing/app/views/customer/confirm.html.haml
@@ -10,5 +10,5 @@
   %dt Credit Card
   - @result.customer.credit_cards.each do |cc|
     %dd= cc.masked_number
-- customer = Customer.find_by_user_id(current_user.id)
+- customer = Customer.find_by_user_id(@user.id)
 = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn
\ No newline at end of file
diff --git a/billing/app/views/customer/edit.html.haml b/billing/app/views/customer/edit.html.haml
index 8a232c5..e882d53 100644
--- a/billing/app/views/customer/edit.html.haml
+++ b/billing/app/views/customer/edit.html.haml
@@ -20,4 +20,4 @@
   = hidden_field_tag :tr_data, @tr_data
   .form-actions
     = f.submit t(:save_customer_info), :class => 'btn btn-primary'
-    = link_to t(:cancel), show_customer_path(@customer), :class=> :btn
+    = link_to t(:cancel), show_customer_path(@user), :class=> :btn
diff --git a/billing/app/views/payments/confirm.html.haml b/billing/app/views/payments/confirm.html.haml
index 9479eb9..640c30a 100644
--- a/billing/app/views/payments/confirm.html.haml
+++ b/billing/app/views/payments/confirm.html.haml
@@ -24,6 +24,6 @@
   %tr
     %td Card Type:
     %td= h @result.transaction.credit_card_details.card_type
-- if current_user
-  - customer = Customer.find_by_user_id(current_user.id)
-  = link_to 'View Customer Info', show_customer_path(customer.braintree_customer_id), :class=> :btn
\ No newline at end of file
+- if logged_in?
+  - customer = Customer.find_by_user_id(@user.id)
+  = link_to 'View Customer Info', show_customer_path(@user.id), :class=> :btn
\ No newline at end of file
diff --git a/billing/app/views/subscriptions/destroy.html.haml b/billing/app/views/subscriptions/destroy.html.haml
index e7ed6e8..44b4333 100644
--- a/billing/app/views/subscriptions/destroy.html.haml
+++ b/billing/app/views/subscriptions/destroy.html.haml
@@ -4,4 +4,4 @@
   Error:
   = @result.message
 %p
-  = link_to 'Customer Information', show_customer_path(@customer.braintree_customer_id), :class=> :btn
\ No newline at end of file
+  = link_to 'Customer Information', show_customer_path(@user), :class=> :btn
\ No newline at end of file
diff --git a/billing/app/views/subscriptions/show.html.haml b/billing/app/views/subscriptions/show.html.haml
index 10eb667..ebb7e0d 100644
--- a/billing/app/views/subscriptions/show.html.haml
+++ b/billing/app/views/subscriptions/show.html.haml
@@ -3,4 +3,5 @@
     Current
   Subscription
 = render :partial => "subscription_details",  :locals => {:subscription => @subscription}
-= link_to t(:cancel_subscription), subscription_path,  :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show?
+- if @user == current_user
+  = link_to t(:cancel_subscription), subscription_path(@subscription.id),  :confirm => t(:are_you_sure), :method => :delete, :class => 'btn btn-danger' if @subscription.status == 'Active' # permission check or should that just be on show?