summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--billing/app/controllers/customer_controller.rb2
-rw-r--r--billing/app/controllers/payments_controller.rb2
-rw-r--r--billing/app/controllers/subscriptions_controller.rb12
-rw-r--r--billing/test/integration/customer_creation_test.rb2
4 files changed, 13 insertions, 5 deletions
diff --git a/billing/app/controllers/customer_controller.rb b/billing/app/controllers/customer_controller.rb
index 0120e91..901cb34 100644
--- a/billing/app/controllers/customer_controller.rb
+++ b/billing/app/controllers/customer_controller.rb
@@ -4,7 +4,7 @@ class CustomerController < BillingBaseController
def show
if @customer
@customer.with_braintree_data!
- @default_cc = @customer.default_credit_card #TODO not actually right way
+ @default_cc = @customer.default_credit_card
@active_subscription = @customer.subscriptions
@transactions = @customer.braintree_customer.transactions
end
diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb
index 226f5a0..17ac0f3 100644
--- a/billing/app/controllers/payments_controller.rb
+++ b/billing/app/controllers/payments_controller.rb
@@ -16,10 +16,10 @@ class PaymentsController < BillingBaseController
end
def index
+ access_denied unless admin? or (@user == current_user)
customer = Customer.find_by_user_id(@user.id)
braintree_data = Braintree::Customer.find(customer.braintree_customer_id)
# these will be ordered by created_at descending, per http://stackoverflow.com/questions/16425475/
- # TODO permissions
@transactions = braintree_data.transactions
end
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index e5af0a3..4047847 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -2,6 +2,8 @@ class SubscriptionsController < BillingBaseController
before_filter :authorize
before_filter :fetch_subscription, :only => [:show, :destroy]
before_filter :confirm_no_active_subscription, :only => [:new, :create]
+ # for now, admins cannot create or destroy subscriptions for others:
+ before_filter :confirm_self, :only => [:destroy, :new, :create]
def new
# don't show link to subscribe if they are already subscribed?
@@ -30,9 +32,9 @@ class SubscriptionsController < BillingBaseController
def fetch_subscription
@subscription = Braintree::Subscription.find params[:id]
@subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
- @customer = Customer.find_by_user_id(@user.id) # todo: ???
- access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id)
- # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
+ current_user_customer = Customer.find_by_user_id(current_user.id)
+ access_denied unless admin? or (current_user_customer and current_user_customer.braintree_customer_id == @subscription_customer_id)
+
end
def confirm_no_active_subscription
@@ -42,4 +44,8 @@ class SubscriptionsController < BillingBaseController
end
end
+ def confirm_self
+ @user == current_user
+ end
+
end
diff --git a/billing/test/integration/customer_creation_test.rb b/billing/test/integration/customer_creation_test.rb
index 9555ef1..5e3734c 100644
--- a/billing/test/integration/customer_creation_test.rb
+++ b/billing/test/integration/customer_creation_test.rb
@@ -59,10 +59,12 @@ class CustomerCreationTest < ActionDispatch::IntegrationTest
skip "cannot get customer creation to fail"
FakeBraintree.decline_all_cards!
+
response = post_transparent_redirect :create_customer_data,
customer: FactoryGirl.attributes_for(:broken_customer),
redirect_url: confirm_customer_url
+ assert FakeBraintree.decline_all_cards?
assert_no_difference("Customer.count") do
post response['Location'] #this gives me a timeout when run alone
end