diff options
4 files changed, 13 insertions, 5 deletions
diff --git a/billing/app/controllers/customer_controller.rb b/billing/app/controllers/customer_controller.rb index 0120e91..901cb34 100644 --- a/billing/app/controllers/customer_controller.rb +++ b/billing/app/controllers/customer_controller.rb @@ -4,7 +4,7 @@ class CustomerController < BillingBaseController def show if @customer @customer.with_braintree_data! - @default_cc = @customer.default_credit_card #TODO not actually right way + @default_cc = @customer.default_credit_card @active_subscription = @customer.subscriptions @transactions = @customer.braintree_customer.transactions end diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb index 226f5a0..17ac0f3 100644 --- a/billing/app/controllers/payments_controller.rb +++ b/billing/app/controllers/payments_controller.rb @@ -16,10 +16,10 @@ class PaymentsController < BillingBaseController end def index + access_denied unless admin? or (@user == current_user) customer = Customer.find_by_user_id(@user.id) braintree_data = Braintree::Customer.find(customer.braintree_customer_id) # these will be ordered by created_at descending, per http://stackoverflow.com/questions/16425475/ - # TODO permissions @transactions = braintree_data.transactions end diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index e5af0a3..4047847 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -2,6 +2,8 @@ class SubscriptionsController < BillingBaseController before_filter :authorize before_filter :fetch_subscription, :only => [:show, :destroy] before_filter :confirm_no_active_subscription, :only => [:new, :create] + # for now, admins cannot create or destroy subscriptions for others: + before_filter :confirm_self, :only => [:destroy, :new, :create] def new # don't show link to subscribe if they are already subscribed? @@ -30,9 +32,9 @@ class SubscriptionsController < BillingBaseController def fetch_subscription @subscription = Braintree::Subscription.find params[:id] @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer - @customer = Customer.find_by_user_id(@user.id) # todo: ??? - access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id) - # TODO: will presumably want to allow admins to view/cancel subscriptions for all users + current_user_customer = Customer.find_by_user_id(current_user.id) + access_denied unless admin? or (current_user_customer and current_user_customer.braintree_customer_id == @subscription_customer_id) + end def confirm_no_active_subscription @@ -42,4 +44,8 @@ class SubscriptionsController < BillingBaseController end end + def confirm_self + @user == current_user + end + end diff --git a/billing/test/integration/customer_creation_test.rb b/billing/test/integration/customer_creation_test.rb index 9555ef1..5e3734c 100644 --- a/billing/test/integration/customer_creation_test.rb +++ b/billing/test/integration/customer_creation_test.rb @@ -59,10 +59,12 @@ class CustomerCreationTest < ActionDispatch::IntegrationTest skip "cannot get customer creation to fail" FakeBraintree.decline_all_cards! + response = post_transparent_redirect :create_customer_data, customer: FactoryGirl.attributes_for(:broken_customer), redirect_url: confirm_customer_url + assert FakeBraintree.decline_all_cards? assert_no_difference("Customer.count") do post response['Location'] #this gives me a timeout when run alone end |