diff options
| -rw-r--r-- | billing/app/controllers/subscriptions_controller.rb | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index 9633830..1f15954 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -1,5 +1,6 @@ class SubscriptionsController < ApplicationController before_filter :authorize + before_filter :fetch_subscription, :only => [:show, :destroy] def new # don't show link to subscribe if they are already subscribed? @@ -14,18 +15,24 @@ class SubscriptionsController < ApplicationController end end - def show - @subscription = Braintree::Subscription.find params[:id] - end - + # show has no content, so not needed at this point. def create @result = Braintree::Subscription.create( :payment_method_token => params[:payment_method_token], :plan_id => params[:plan_id] ) end def destroy - # TODO add permission check @result = Braintree::Subscription.cancel params[:id] end + private + + def fetch_subscription + @subscription = Braintree::Subscription.find params[:id] + subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer + customer = Customer.find_by_user_id(current_user.id) + access_denied unless customer and customer.braintree_customer_id == subscription_customer_id + # TODO: will presumably want to allow admins to view/cancel subscriptions for all users + end + end |