summaryrefslogtreecommitdiff
path: root/billing/app/controllers/subscriptions_controller.rb
diff options
context:
space:
mode:
Diffstat (limited to 'billing/app/controllers/subscriptions_controller.rb')
-rw-r--r--billing/app/controllers/subscriptions_controller.rb12
1 files changed, 9 insertions, 3 deletions
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index e5af0a3..4047847 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -2,6 +2,8 @@ class SubscriptionsController < BillingBaseController
before_filter :authorize
before_filter :fetch_subscription, :only => [:show, :destroy]
before_filter :confirm_no_active_subscription, :only => [:new, :create]
+ # for now, admins cannot create or destroy subscriptions for others:
+ before_filter :confirm_self, :only => [:destroy, :new, :create]
def new
# don't show link to subscribe if they are already subscribed?
@@ -30,9 +32,9 @@ class SubscriptionsController < BillingBaseController
def fetch_subscription
@subscription = Braintree::Subscription.find params[:id]
@subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
- @customer = Customer.find_by_user_id(@user.id) # todo: ???
- access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id)
- # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
+ current_user_customer = Customer.find_by_user_id(current_user.id)
+ access_denied unless admin? or (current_user_customer and current_user_customer.braintree_customer_id == @subscription_customer_id)
+
end
def confirm_no_active_subscription
@@ -42,4 +44,8 @@ class SubscriptionsController < BillingBaseController
end
end
+ def confirm_self
+ @user == current_user
+ end
+
end