error for user not permitted

2025-07-31 02:03:26 +00:00 · 2019-09-15 08:40:52 +10:00 · 2019-09-15 08:40:52 +10:00 · a42e98ee5b
commit a42e98ee5b
parent bc8ae3449d
4 changed files with 47 additions and 11 deletions
--- a/app/controllers/patrons_controller.rb
+++ b/app/controllers/patrons_controller.rb
@ -16,7 +16,13 @@ module DiscoursePatrons
    end

    def show
-      result = Stripe::PaymentIntent.retrieve(params[:pid])
+      payment_intent = Stripe::PaymentIntent.retrieve(params[:pid])
+
+      if current_user && (current_user.admin || payment_intent[:customer] == current_user.id)
+        result = payment_intent
+      else
+        result = { error: 'Not found' }
+      end

      render json: result
    end
--- a/assets/javascripts/discourse/templates/patrons/show.hbs
+++ b/assets/javascripts/discourse/templates/patrons/show.hbs
@ -9,18 +9,12 @@
 {{#if model}}
  <table>
    <tr>
-      <td>Payment ID</td>
+      <td>{{i18n 'discourse_patrons.payment_intent_id'}}</td>
      <td>{{model.id}}</td>
    </tr>
    <tr>
-      <td>Amount</td>
+      <td>{{i18n 'discourse_patrons.amount'}}</td>
      <td>{{model.amount}}</td>
    </tr>
  </table>
 {{/if}}
-
-<hr>
-
-{{#d-button action="goBack" class="btn btn-primary"}}
-  {{i18n 'discourse_patrons.buttons.success'}}
-{{/d-button}}
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@ -25,6 +25,7 @@ en:
        payment_information: Payment information
        payment_confirmation: Confirm information
      amount: Amount
+      payment_intent_id: Payment ID
      billing:
        name: Full name
        email: Email
--- a/spec/controllers/discourse_patrons/patrons_controller_spec.rb
+++ b/spec/controllers/discourse_patrons/patrons_controller_spec.rb
@ -28,16 +28,51 @@ module DiscoursePatrons
    end

    describe 'show' do
+      let!(:admin) { Fabricate(:admin) }
+      let!(:user) { Fabricate(:user) }
+      let(:payment_intent) { { customer: user.id } }
+
+      before do
+        controller.stubs(:current_user).returns(user)
+        ::Stripe::PaymentIntent.stubs(:retrieve).returns(payment_intent)
+      end
+
      it 'responds ok' do
-        ::Stripe::PaymentIntent.expects(:retrieve)
        get :show, params: { pid: '123' }, format: :json
        expect(response).to have_http_status(200)
      end

      it 'requests the payment intent' do
-        ::Stripe::PaymentIntent.expects(:retrieve).with('abc-1234')
+        ::Stripe::PaymentIntent.expects(:retrieve).with('abc-1234').returns(payment_intent)
        get :show, params: { pid: 'abc-1234' }, format: :json
      end
+
+      it 'allows admin to see receipts' do
+        controller.expects(:current_user).returns(admin)
+        ::Stripe::PaymentIntent.expects(:retrieve).returns(customer: user.id)
+        get :show, params: { pid: '123' }, format: :json
+        expect(response).to have_http_status(200)
+      end
+
+      it 'does not allow another the user to see receipts' do
+        ::Stripe::PaymentIntent.expects(:retrieve).returns(customer: 9999)
+        get :show, params: { pid: '123' }, format: :json
+
+        aggregate_failures do
+          expect(response).to have_http_status(200)
+          expect(JSON.parse(response.body)).to eq({ "error" => "Not found" })
+        end
+      end
+
+      it 'does not allow anon user to see receipts' do
+        controller.stubs(:current_user).returns(nil)
+        get :show, params: { pid: '123' }, format: :json
+
+        aggregate_failures do
+          expect(response).to have_http_status(200)
+          expect(JSON.parse(response.body)).to eq({ "error" => "Not found" })
+        end
+      end
    end

    describe 'create' do