From 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f Mon Sep 17 00:00:00 2001
From: jessib <jessib@riseup.net>
Date: Tue, 6 Aug 2013 14:21:08 -0700
Subject: Some more tweaks to have billing code work, and allow admins to view
 but not edit for other users.

---
 billing/app/controllers/billing_base_controller.rb | 10 ++++---
 .../app/controllers/credit_card_info_controller.rb |  5 ++--
 billing/app/controllers/customer_controller.rb     | 33 +++++++++++-----------
 billing/app/controllers/payments_controller.rb     |  3 +-
 .../app/controllers/subscriptions_controller.rb    |  4 +--
 5 files changed, 29 insertions(+), 26 deletions(-)

(limited to 'billing/app/controllers')

diff --git a/billing/app/controllers/billing_base_controller.rb b/billing/app/controllers/billing_base_controller.rb
index 67dff72..f6e233b 100644
--- a/billing/app/controllers/billing_base_controller.rb
+++ b/billing/app/controllers/billing_base_controller.rb
@@ -4,12 +4,14 @@ class BillingBaseController < ApplicationController
   helper 'billing'
 
   # required for navigation to work.
-  #TODO doesn't work for admins
   def assign_user
-    if params[:id]
+    if params[:user_id]
+      @user = User.find_by_param(params[:user_id])
+    elsif params[:action] == "confirm" # confirms will come back with different ID set, so check for this first 
+      # This is only for cases where an admin cannot apply action for customer, but should be all confirms
+      @user = current_user
+    elsif params[:id]
       @user = User.find_by_param(params[:id])
-    else
-      @user = current_user #TODO not always correct for admins viewing another user!
     end
   end
 
diff --git a/billing/app/controllers/credit_card_info_controller.rb b/billing/app/controllers/credit_card_info_controller.rb
index 75865fe..717fa18 100644
--- a/billing/app/controllers/credit_card_info_controller.rb
+++ b/billing/app/controllers/credit_card_info_controller.rb
@@ -3,7 +3,7 @@ class CreditCardInfoController < ApplicationController
 
   def edit
     @credit_card = Braintree::CreditCard.find(params[:id])
-    customer = Customer.find_by_user_id(current_user.id)
+    customer = Customer.find_by_user_id(@user.id)
     if customer and customer.braintree_customer_id == @credit_card.customer_id
       @tr_data = Braintree::TransparentRedirect.
         update_credit_card_data(:redirect_url => confirm_credit_card_info_url,
@@ -27,7 +27,8 @@ class CreditCardInfoController < ApplicationController
 
   private
 
-  def set_user
+    def set_user
+    # this assumes anybody, even an admin, will not access for another user.
     @user = current_user
   end
 
diff --git a/billing/app/controllers/customer_controller.rb b/billing/app/controllers/customer_controller.rb
index f38f77e..0120e91 100644
--- a/billing/app/controllers/customer_controller.rb
+++ b/billing/app/controllers/customer_controller.rb
@@ -1,18 +1,18 @@
 class CustomerController < BillingBaseController
-  before_filter :authorize
+  before_filter :authorize, :fetch_customer
 
   def show
-    if customer = fetch_customer
-      customer.with_braintree_data!
-      @default_cc = customer.default_credit_card #TODO not actually right way
-      @active_subscription = customer.subscriptions
-      @transactions = customer.braintree_customer.transactions
+    if @customer
+      @customer.with_braintree_data!
+      @default_cc = @customer.default_credit_card #TODO not actually right way
+      @active_subscription = @customer.subscriptions
+      @transactions = @customer.braintree_customer.transactions
     end
   end
 
   def new
-    if customer.has_payment_info?
-      redirect_to edit_customer_path(customer), :notice => 'Here is your saved customer data'
+    if @customer.has_payment_info?
+      redirect_to edit_customer_path(@user), :notice => 'Here is your saved customer data'
     else
       fetch_new_transparent_redirect_data
     end
@@ -24,12 +24,11 @@ class CustomerController < BillingBaseController
 
   def confirm
     @result = Braintree::TransparentRedirect.confirm(request.query_string)
-
     if @result.success?
-      customer.braintree_customer =  @result.customer
-      customer.save
+      @customer.braintree_customer =  @result.customer
+      @customer.save
       render :action => "confirm"
-    elsif customer.has_payment_info?
+    elsif @customer.has_payment_info?
       fetch_edit_transparent_redirect_data
       render :action => "edit"
     else
@@ -41,16 +40,18 @@ class CustomerController < BillingBaseController
   protected
 
   def fetch_new_transparent_redirect_data
+    access_denied unless @user == current_user # admins cannot do this for others
     @tr_data = Braintree::TransparentRedirect.
       create_customer_data(:redirect_url => confirm_customer_url)
   end
 
   def fetch_edit_transparent_redirect_data
-    customer.with_braintree_data!
-    @default_cc = customer.default_credit_card
+    access_denied unless @user == current_user # admins cannot do this for others
+    @customer.with_braintree_data!
+    @default_cc = @customer.default_credit_card
     @tr_data = Braintree::TransparentRedirect.
       update_customer_data(:redirect_url => confirm_customer_url,
-                           :customer_id => customer.braintree_customer_id) ##??
+                           :customer_id => @customer.braintree_customer_id) ##??
   end
 
   def fetch_customer
@@ -58,8 +59,6 @@ class CustomerController < BillingBaseController
     if @user == current_user
       @customer ||= Customer.new(user: @user)
     end
-    # TODO will want case for admins, presumably
     access_denied unless (@customer and (@customer.user == current_user)) or admin?
-    return @customer
   end
 end
diff --git a/billing/app/controllers/payments_controller.rb b/billing/app/controllers/payments_controller.rb
index 224b78e..3ffc5a3 100644
--- a/billing/app/controllers/payments_controller.rb
+++ b/billing/app/controllers/payments_controller.rb
@@ -16,9 +16,10 @@ class PaymentsController < BillingBaseController
   end
 
   def index
-    customer = Customer.find_by_user_id(current_user.id)
+    customer = Customer.find_by_user_id(@user.id)
     braintree_data = Braintree::Customer.find(customer.braintree_customer_id)
     # these will be ordered by created_at descending, per http://stackoverflow.com/questions/16425475/
+    # TODO permissions
     @transactions = braintree_data.transactions
   end
 
diff --git a/billing/app/controllers/subscriptions_controller.rb b/billing/app/controllers/subscriptions_controller.rb
index 38dbff1..8030c88 100644
--- a/billing/app/controllers/subscriptions_controller.rb
+++ b/billing/app/controllers/subscriptions_controller.rb
@@ -21,7 +21,7 @@ class SubscriptionsController < BillingBaseController
   end
 
   def index
-    customer = Customer.find_by_user_id(current_user.id)
+    customer = Customer.find_by_user_id(@user.id)
     @subscriptions = customer.subscriptions(nil, false)
   end
 
@@ -31,7 +31,7 @@ class SubscriptionsController < BillingBaseController
     @subscription = Braintree::Subscription.find params[:id]
     @subscription_customer_id = @subscription.transactions.first.customer_details.id #all of subscriptions transactions should have same customer
     @customer = Customer.find_by_user_id(current_user.id)
-    access_denied unless @customer and @customer.braintree_customer_id == @subscription_customer_id
+    access_denied unless admin? or (@customer and @customer.braintree_customer_id == @subscription_customer_id)
     # TODO: will presumably want to allow admins to view/cancel subscriptions for all users
   end
 
-- 
cgit v1.2.3