From 6d1e5b052f88029039164e9a586d512f55679de4 Mon Sep 17 00:00:00 2001
From: jessib <jessib@leap.se>
Date: Tue, 16 Apr 2013 13:27:38 -0700
Subject: Some permission checks for viewing/cancelling subscriptions.

---
 billing/app/controllers/subscriptions_controller.rb | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

(limited to 'billing/app/controllers/subscriptions_controller.rb')

diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 9633830..1f15954 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -1,5 +1,6 @@
 class SubscriptionsController < ApplicationController
   before_filter :authorize
+  before_filter :fetch_subscription, :only => [:show, :destroy]
 
   def new
     # don't show link to subscribe if they are already subscribed?
@@ -14,18 +15,24 @@ class SubscriptionsController < ApplicationController
     end
   end
 
-  def show
-    @subscription = Braintree::Subscription.find params[:id]
-  end
-
+  # show has no content, so not needed at this point.
 
   def create
     @result = Braintree::Subscription.create( :payment_method_token => params[:payment_method_token], :plan_id => params[:plan_id] )
   end
 
   def destroy
-    # TODO add permission check
     @result = Braintree::Subscription.cancel params[:id]
   end
 
+  private
+
+  def fetch_subscription
+    @subscription = Braintree::Subscription.find params[:id]
+    subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
+    customer = Customer.find_by_user_id(current_user.id)
+    access_denied unless customer and customer.braintree_customer_id == subscription_customer_id
+    # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
+  end
+
 end
-- 
cgit v1.2.3