summaryrefslogtreecommitdiff
path: root/billing/app/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'billing/app/controllers')
-rw-r--r--billing/app/controllers/subscriptions_controller.rb17
1 files changed, 12 insertions, 5 deletions
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 9633830..1f15954 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -1,5 +1,6 @@
class SubscriptionsController < ApplicationController
before_filter :authorize
+ before_filter :fetch_subscription, :only => [:show, :destroy]
def new
# don't show link to subscribe if they are already subscribed?
@@ -14,18 +15,24 @@ class SubscriptionsController < ApplicationController
end
end
- def show
- @subscription = Braintree::Subscription.find params[:id]
- end
-
+ # show has no content, so not needed at this point.
def create
@result = Braintree::Subscription.create( :payment_method_token => params[:payment_method_token], :plan_id => params[:plan_id] )
end
def destroy
- # TODO add permission check
@result = Braintree::Subscription.cancel params[:id]
end
+ private
+
+ def fetch_subscription
+ @subscription = Braintree::Subscription.find params[:id]
+ subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
+ customer = Customer.find_by_user_id(current_user.id)
+ access_denied unless customer and customer.braintree_customer_id == subscription_customer_id
+ # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
+ end
+
end