diff options
Diffstat (limited to 'billing/app')
-rw-r--r-- | billing/app/controllers/customer_controller.rb | 2 | ||||
-rw-r--r-- | billing/app/controllers/payments_controller.rb | 2 | ||||
-rw-r--r-- | billing/app/controllers/subscriptions_controller.rb | 12 |
3 files changed, 11 insertions, 5 deletions
diff --git a/billing/app/controllers/customer_controller.rb b/billing/app/controllers/customer_controller.rb index 0120e91..901cb34 100644 --- a/billing/app/controllers/customer_controller.rb +++ b/billing/app/controllers/customer_controller.rb @@ -4,7 +4,7 @@ class CustomerController < BillingBaseController def show if @customer @customer.with_braintree_data! - @default_cc = @customer.default_credit_card #TODO not actually right way + @default_cc = @customer.default_credit_card @active_subscription = @customer.subscriptions @transactions = @customer.braintree_customer.transactions end diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb index 226f5a0..17ac0f3 100644 --- a/billing/app/controllers/payments_controller.rb +++ b/billing/app/controllers/payments_controller.rb @@ -16,10 +16,10 @@ class PaymentsController < BillingBaseController end def index + access_denied unless admin? or (@user == current_user) customer = Customer.find_by_user_id(@user.id) braintree_data = Braintree::Customer.find(customer.braintree_customer_id) # these will be ordered by created_at descending, per http://stackoverflow.com/questions/16425475/ - # TODO permissions @transactions = braintree_data.transactions end diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb index e5af0a3..4047847 100644 --- a/billing/app/controllers/subscriptions_controller.rb +++ b/billing/app/controllers/subscriptions_controller.rb @@ -2,6 +2,8 @@ class SubscriptionsController < BillingBaseController before_filter :authorize before_filter :fetch_subscription, :only => [:show, :destroy] before_filter :confirm_no_active_subscription, :only => [:new, :create] + # for now, admins cannot create or destroy subscriptions for others: + before_filter :confirm_self, :only => [:destroy, :new, :create] def new # don't show link to subscribe if they are already subscribed? @@ -30,9 +32,9 @@ class SubscriptionsController < BillingBaseController def fetch_subscription @subscription = Braintree::Subscription.find params[:id] @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer - @customer = Customer.find_by_user_id(@user.id) # todo: ??? - access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id) - # TODO: will presumably want to allow admins to view/cancel subscriptions for all users + current_user_customer = Customer.find_by_user_id(current_user.id) + access_denied unless admin? or (current_user_customer and current_user_customer.braintree_customer_id == @subscription_customer_id) + end def confirm_no_active_subscription @@ -42,4 +44,8 @@ class SubscriptionsController < BillingBaseController end end + def confirm_self + @user == current_user + end + end |