payola-payments 1.4.0 → 1.5.0

data/lib/payola.rb

@@ -139,6 +139,12 @@ module Payola
     def ==(other)
       to_s == other.to_s
     end
+
+    # This is a nasty hack to counteract Stripe checking if the API key is_a String
+    # See https://github.com/peterkeen/payola/issues/256 for details
+    def is_a?(other)
+      ENV[@key].is_a?(other)
+    end
   end
 
   self.reset!

data/lib/payola/version.rb

@@ -1,3 +1,3 @@
 module Payola
-  VERSION = "1.4.0"
+  VERSION = "1.5.0"
 end

data/spec/concerns/plan_spec.rb

@@ -28,12 +28,24 @@ module Payola
       expect(subscription_plan.valid?).to be false
     end
 
+    context "with an associated subscription" do
+      let :subscription do
+        create(:subscription, plan: create(:subscription_plan))
+      end
+
+      it "should fail when attempting to destroy it" do
+        expect {
+          subscription.plan.destroy
+        }.to raise_error(ActiveRecord::DeleteRestrictionError)
+      end
+    end
+
     context "with Payola.create_stripe_plans set to true" do
       before { Payola.create_stripe_plans = true }
 
       it "should create the plan at stripe before the model is created" do
         subscription_plan = build(:subscription_plan)
-        Payola::CreatePlan.should_receive(:call)
+        expect(Payola::CreatePlan).to receive(:call)
         subscription_plan.save!
       end
 
@@ -42,7 +54,7 @@ module Payola
         subscription_plan.save!
         subscription_plan.name = "new name"
 
-        Payola::CreatePlan.should_not_receive(:call)
+        expect(Payola::CreatePlan).to_not receive(:call)
         subscription_plan.save!
       end
     end
@@ -53,7 +65,7 @@ module Payola
 
       it "should not try to create the plan at stripe before the model is created" do
         subscription_plan = build(:subscription_plan)
-        Payola::CreatePlan.should_not_receive(:call)
+        expect(Payola::CreatePlan).to_not receive(:call)
         subscription_plan.save!
       end
 
@@ -62,7 +74,7 @@ module Payola
         subscription_plan.save!
         subscription_plan.name = "new name"
 
-        Payola::CreatePlan.should_not_receive(:call)
+        expect(Payola::CreatePlan).to_not receive(:call)
         subscription_plan.save!
       end
     end

data/spec/controllers/payola/cards_controller_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 module Payola
   describe CardsController do
     routes { Payola::Engine.routes }
-  
+
     before do
       Payola.secret_key = 'sk_test_12345'
       request.env["HTTP_REFERER"] = "/my/cards"
@@ -20,17 +20,17 @@ module Payola
 
       it "should pass args to CreateCard" do
         expect(CreateCard).to receive(:call)
-        post :create, customer_id: customer.id, stripeToken: StripeMock.generate_card_token({})
+        post :create, params: { customer_id: customer.id, stripeToken: StripeMock.generate_card_token({}) }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/my/cards"
-        expect(flash[:notice]).to eq "Succesfully created new card"
+        expect(flash[:notice]).to eq "Successfully created new card"
         expect(flash[:alert]).to_not be_present
       end
 
       it "should fail when missing a token" do
         expect(CreateCard).to_not receive(:call)
-        post :create, customer_id: customer.id, stripeToken: nil
+        post :create, params: { customer_id: customer.id, stripeToken: nil }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/my/cards"
@@ -39,11 +39,44 @@ module Payola
       end
 
       it "should return to the passed return path" do
-        post :create, customer_id: customer.id, stripeToken: StripeMock.generate_card_token({}), return_to: "/another/path"
+        post :create, params: { customer_id: customer.id, stripeToken: StripeMock.generate_card_token({}), return_to: "/another/path" }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/another/path"
       end
+
+      context "authorization" do
+        it "should permit authorized requests" do
+          allow(controller).to receive(:payola_can_modify_customer?).with(customer.id).and_return(true)
+          expect(controller).to receive(:create).and_call_original
+
+          post :create, params: { customer_id: customer.id, stripeToken: StripeMock.generate_card_token({}) }
+
+          expect(response).to redirect_to "/my/cards"
+          expect(flash[:alert]).to_not be_present
+        end
+
+        it "should deny unauthorized requests" do
+          allow(controller).to receive(:payola_can_modify_customer?).with(customer.id).and_return(false)
+          expect(controller).to_not receive(:create)
+
+          post :create, params: { customer_id: customer.id, stripeToken: StripeMock.generate_card_token({}) }
+
+          expect(response).to redirect_to "/my/cards"
+          expect(flash[:alert]).to eq "You cannot modify this customer."
+        end
+      end
+
+      it "should raise error when no referrer to redirect to" do
+        request.env.delete("HTTP_REFERER")
+
+        expect do
+          post :create, params: {
+            customer_id: customer.id,
+            stripeToken: StripeMock.generate_card_token({})
+          }
+        end.to raise_error(ActionController::RedirectBackError)
+      end
     end
 
     describe '#destroy' do
@@ -58,20 +91,71 @@ module Payola
 
       it "should pass args to DestroyCard" do
         expect(DestroyCard).to receive(:call)
-        delete :destroy, id: customer.sources.first.id, customer_id: customer.id
+        delete :destroy, params: { id: customer.sources.first.id, customer_id: customer.id }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/my/cards"
-        expect(flash[:notice]).to eq "Succesfully removed the card"
+        expect(flash[:notice]).to eq "Successfully removed the card"
         expect(flash[:alert]).to_not be_present
       end
 
+      it "should not call DestroyCard when params blank" do
+        expect(DestroyCard).to_not receive(:call)
+        delete :destroy, params: { id: "", customer_id: "" }
+
+        expect(response.status).to eq 302
+        expect(response).to redirect_to "/my/cards"
+        expect(flash[:alert]).to eq "Could not remove the card"
+        expect(flash[:notice]).to_not be_present
+      end
+
       it "should return to the passed return path" do
-        delete :destroy, id: customer.sources.first.id, customer_id: customer.id, return_to: "/another/path"
+        delete :destroy, params: { id: customer.sources.first.id, customer_id: customer.id, return_to: "/another/path" }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/another/path"
       end
+
+      context "authorization" do
+        it "should permit authorized requests" do
+          allow(controller).to receive(:payola_can_modify_customer?).with(customer.id).and_return(true)
+          expect(controller).to receive(:destroy).and_call_original
+
+          delete :destroy, params: { id: customer.sources.first.id, customer_id: customer.id }
+
+          expect(response).to redirect_to "/my/cards"
+          expect(flash[:alert]).to_not be_present
+        end
+
+        it "should deny unauthorized requests" do
+          allow(controller).to receive(:payola_can_modify_customer?).with(customer.id).and_return(false)
+          expect(controller).to_not receive(:destroy)
+
+          delete :destroy, params: { id: customer.sources.first.id, customer_id: customer.id }
+
+          expect(response).to redirect_to "/my/cards"
+          expect(flash[:alert]).to eq "You cannot modify this customer."
+        end
+
+        it "should throw error if controller doesn't define payola_can_modify_customer?" do
+          controller.instance_eval('undef :payola_can_modify_customer?')
+
+          expect {
+            delete :destroy, params: { id: customer.sources.first.id, customer_id: customer.id }
+          }.to raise_error(NotImplementedError)
+      end
+      end
+
+      it "should raise error when no referrer to redirect to" do
+        request.env.delete("HTTP_REFERER")
+
+        expect do
+          delete :destroy, params: {
+            id: customer.sources.first.id, customer_id: customer.id
+          }
+        end.to raise_error(ActionController::RedirectBackError)
+      end
+
     end
 
   end

data/spec/controllers/payola/customers_controller_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 module Payola
   describe CustomersController do
     routes { Payola::Engine.routes }
-  
+
     before do
       Payola.secret_key = 'sk_test_12345'
       request.env["HTTP_REFERER"] = "/my/cards"
@@ -21,21 +21,64 @@ module Payola
 
       it "should pass args to UpdateCustomer" do
         expect(UpdateCustomer).to receive(:call)
-        post :update, id: customer.id, customer: { default_source: "1234" }
+        post :update, params: { id: customer.id, customer: { default_source: "1234" } }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/my/cards"
-        expect(flash[:notice]).to eq "Succesfully updated customer"
+        expect(flash[:notice]).to eq "Successfully updated customer"
         expect(flash[:alert]).to_not be_present
       end
 
       it "should return to the passed return path" do
-        post :update, id: customer.id, customer: { default_source: "1234" }, return_to: "/another/path"
+        post :update, params: { id: customer.id, customer: { default_source: "1234" }, return_to: "/another/path" }
 
         expect(response.status).to eq 302
         expect(response).to redirect_to "/another/path"
       end
 
+      it "should not invoke UpdateCustomer if id param is not present" do
+        expect(UpdateCustomer).to_not receive(:call)
+
+        post :update, params: { id: "" }
+
+        expect(response.status).to eq 302
+        expect(response).to redirect_to "/my/cards"
+        expect(flash[:alert]).to eq "Could not update customer"
+        expect(flash[:notice]).to_not be_present
+      end
+
+      context "authorization" do
+        it "should permit authorized requests" do
+          allow(controller).to receive(:payola_can_modify_customer?).with(customer.id).and_return(true)
+          expect(controller).to receive(:update).and_call_original
+
+          post :update, params: { id: customer.id, customer: { default_source: "1234" } }
+
+          expect(response).to redirect_to "/my/cards"
+          expect(flash[:alert]).to_not be_present
+        end
+
+        it "should deny unauthorized requests" do
+          allow(controller).to receive(:payola_can_modify_customer?).with(customer.id).and_return(false)
+          expect(controller).to_not receive(:update)
+
+          post :update, params: { id: customer.id, customer: { default_source: "1234" } }
+
+          expect(response).to redirect_to "/my/cards"
+          expect(flash[:alert]).to eq "You cannot modify this customer."
+        end
+      end
+
+      it "should raise error when no referrer to redirect to" do
+        request.env.delete("HTTP_REFERER")
+
+        expect do
+          post :update, params: {
+            id: customer.id, customer: { default_source: "1234" }
+          }
+        end.to raise_error(ActionController::RedirectBackError)
+      end
+
     end
   end
 end

data/spec/controllers/payola/subscriptions_controller_spec.rb

@@ -15,27 +15,29 @@ module Payola
 
       it "should pass args to CreateSubscription" do
         subscription = double
-        subscription.should_receive(:save).and_return(true)
-        subscription.should_receive(:guid).at_least(1).times.and_return(1)
-        subscription.should_receive(:error).and_return(nil)
+        expect(subscription).to receive(:save).and_return(true)
+        expect(subscription).to receive(:guid).at_least(1).times.and_return(1)
+        expect(subscription).to receive(:error).and_return(nil)
         errors = double
-        errors.should_receive(:full_messages).and_return([])
-        subscription.should_receive(:errors).and_return(errors)
-        subscription.should_receive(:state).and_return('pending')
-
-        CreateSubscription.should_receive(:call).with(
-          'plan_class' => 'subscription_plan',
-          'plan_id' => @plan.id.to_s,
-          'tax_percent' => tax_percent.to_s,
-          'controller' => 'payola/subscriptions',
-          'action' => 'create',
-          'plan' => @plan,
-          'coupon' => nil,
-          'quantity' => 1,
-          'affiliate' => nil
+        expect(errors).to receive(:full_messages).and_return([])
+        expect(subscription).to receive(:errors).and_return(errors)
+        expect(subscription).to receive(:state).and_return('pending')
+
+        expect(CreateSubscription).to receive(:call).with(
+          permitted_params(
+            'plan_class' => 'subscription_plan',
+            'plan_id' => @plan.id.to_s,
+            'tax_percent' => tax_percent.to_s,
+            'controller' => 'payola/subscriptions',
+            'action' => 'create',
+            'plan' => @plan,
+            'coupon' => nil,
+            'quantity' => 1,
+            'affiliate' => nil
+          )
         ).and_return(subscription)
 
-        post :create, plan_class: @plan.plan_class, plan_id: @plan.id, tax_percent: tax_percent
+        post :create, params: { plan_class: @plan.plan_class, plan_id: @plan.id, tax_percent: tax_percent }
 
         expect(response.status).to eq 200
         parsed_body = JSON.load(response.body)
@@ -45,19 +47,19 @@ module Payola
       describe "with an error" do
         it "should return an error in json" do
           subscription = double
-          subscription.should_receive(:save).and_return(false)
+          expect(subscription).to receive(:save).and_return(false)
           error = double
-          error.should_receive(:full_messages).and_return(['done did broke'])
-          subscription.should_receive(:errors).and_return(error)
-          subscription.should_receive(:state).and_return('errored')
-          subscription.should_receive(:error).and_return('')
-          subscription.should_receive(:guid).and_return('blah')
+          expect(error).to receive(:full_messages).and_return(['done did broke'])
+          expect(subscription).to receive(:errors).and_return(error)
+          expect(subscription).to receive(:state).and_return('errored')
+          expect(subscription).to receive(:error).and_return('')
+          expect(subscription).to receive(:guid).and_return('blah')
 
 
-          CreateSubscription.should_receive(:call).and_return(subscription)
-          Payola.should_not_receive(:queue!)
+          expect(CreateSubscription).to receive(:call).and_return(subscription)
+          expect(Payola).to_not receive(:queue!)
 
-          post :create, plan_class: @plan.plan_class, plan_id: @plan.id
+          post :create, params: { plan_class: @plan.plan_class, plan_id: @plan.id }
 
           expect(response.status).to eq 400
           parsed_body = JSON.load(response.body)
@@ -67,13 +69,14 @@ module Payola
     end
 
     describe '#status' do
-      it "should return 404 if it can't find the subscription" do
-        get :status, guid: 'doesnotexist'
+      it "should return 404 with no response body if it can't find the subscription" do
+        get :status, params: { guid: 'doesnotexist' }
         expect(response.status).to eq 404
+        expect(response.body).to be_blank
       end
       it "should return json with properties" do
         subscription = create(:subscription)
-        get :status, guid: subscription.guid
+        get :status, params: { guid: subscription.guid }
 
         expect(response.status).to eq 200
 
@@ -89,7 +92,7 @@ module Payola
       it "should redirect to the product's redirect path" do
         plan = create(:subscription_plan)
         subscription = create(:subscription, :plan => plan)
-        get :show, guid: subscription.guid
+        get :show, params: { guid: subscription.guid }
 
         expect(response).to redirect_to '/'
       end
@@ -100,8 +103,8 @@ module Payola
         @subscription = create(:subscription, state: :active, stripe_customer_id: Stripe::Customer.create.id)
       end
       it "call Payola::CancelSubscription and redirect" do
-        Payola::CancelSubscription.should_receive(:call)
-        delete :destroy, guid: @subscription.guid
+        expect(Payola::CancelSubscription).to receive(:call)
+        delete :destroy, params: { guid: @subscription.guid }
         # TODO : Figure out why this needs to be a hardcoded path.
         # Why doesn't subscription_path(@subscription) work?
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
@@ -111,14 +114,14 @@ module Payola
         expect(Payola::CancelSubscription).to_not receive(:call)
         expect_any_instance_of(::ApplicationController).to receive(:payola_can_modify_subscription?).and_return(false)
 
-        delete :destroy, guid: @subscription.guid
+        delete :destroy, params: { guid: @subscription.guid }
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'You cannot modify this subscription.'
       end
 
       it "coerce the at_period_end param to a boolean, and pass it through to Payola::CancelSubscription" do
-        Payola::CancelSubscription.should_receive(:call).with(instance_of(Payola::Subscription), at_period_end: true)
-        delete :destroy, guid: @subscription.guid, at_period_end: 'true'
+        expect(Payola::CancelSubscription).to receive(:call).with(instance_of(Payola::Subscription), at_period_end: true)
+        delete :destroy, params: { guid: @subscription.guid, at_period_end: 'true' }
       end
     end
 
@@ -126,12 +129,13 @@ module Payola
       before :each do
         @subscription = create(:subscription, state: :active, stripe_customer_id: Stripe::Customer.create.id)
         @plan = create(:subscription_plan)
+        @quantity = 1
       end
 
       it "should call Payola::ChangeSubscriptionPlan and redirect" do
-        expect(Payola::ChangeSubscriptionPlan).to receive(:call).with(@subscription, @plan)
+        expect(Payola::ChangeSubscriptionPlan).to receive(:call).with(@subscription, @plan, @quantity)
 
-        post :change_plan, guid: @subscription.guid, plan_class: @plan.plan_class, plan_id: @plan.id
+        post :change_plan, params: { guid: @subscription.guid, plan_class: @plan.plan_class, plan_id: @plan.id }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:notice]).to eq 'Subscription plan updated'
@@ -140,7 +144,7 @@ module Payola
       it "should show error if Payola::ChangeSubscriptionPlan fails" do
         StripeMock.prepare_error(Stripe::StripeError.new('There was a problem changing the subscription'))
 
-        post :change_plan, guid: @subscription.guid, plan_class: @plan.plan_class, plan_id: @plan.id
+        post :change_plan, params: { guid: @subscription.guid, plan_class: @plan.plan_class, plan_id: @plan.id }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'There was a problem changing the subscription'
@@ -150,7 +154,7 @@ module Payola
         expect(Payola::ChangeSubscriptionPlan).to_not receive(:call)
         expect_any_instance_of(::ApplicationController).to receive(:payola_can_modify_subscription?).and_return(false)
 
-        post :change_plan, guid: @subscription.guid, plan_class: @plan.plan_class, plan_id: @plan.id
+        post :change_plan, params: { guid: @subscription.guid, plan_class: @plan.plan_class, plan_id: @plan.id }
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'You cannot modify this subscription.'
       end
@@ -165,7 +169,7 @@ module Payola
       it "should call Payola::ChangeSubscriptionQuantity and redirect" do
         expect(Payola::ChangeSubscriptionQuantity).to receive(:call).with(@subscription, 5)
 
-        post :change_quantity, guid: @subscription.guid, quantity: 5
+        post :change_quantity, params: { guid: @subscription.guid, quantity: 5 }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:notice]).to eq 'Subscription quantity updated'
@@ -174,7 +178,7 @@ module Payola
       it "should show error if Payola::ChangeSubscriptionQuantity fails" do
         StripeMock.prepare_error(Stripe::StripeError.new('There was a problem changing the subscription quantity'))
 
-        post :change_quantity, guid: @subscription.guid, quantity: 5
+        post :change_quantity, params: { guid: @subscription.guid, quantity: 5 }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'There was a problem changing the subscription quantity'
@@ -184,7 +188,7 @@ module Payola
         expect(Payola::ChangeSubscriptionQuantity).to_not receive(:call)
         expect_any_instance_of(::ApplicationController).to receive(:payola_can_modify_subscription?).and_return(false)
 
-        post :change_quantity, guid: @subscription.guid, quantity: 5
+        post :change_quantity, params: { guid: @subscription.guid, quantity: 5 }
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'You cannot modify this subscription.'
       end
@@ -199,7 +203,7 @@ module Payola
       it "should call UpdateCard and redirect" do
         expect(Payola::UpdateCard).to receive(:call).with(@subscription, 'tok_1234')
 
-        post :update_card, guid: @subscription.guid, stripeToken: 'tok_1234'
+        post :update_card, params: { guid: @subscription.guid, stripeToken: 'tok_1234' }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:notice]).to eq 'Card updated'
@@ -208,7 +212,7 @@ module Payola
       it "should show error if Payola::UpdateCare fails" do
         StripeMock.prepare_error(Stripe::StripeError.new('There was a problem updating the card'))
 
-        post :update_card, guid: @subscription.guid, stripeToken: 'tok_1234'
+        post :update_card, params: { guid: @subscription.guid, stripeToken: 'tok_1234' }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'There was a problem updating the card'
@@ -218,11 +222,20 @@ module Payola
         expect(Payola::UpdateCard).to receive(:call).never
         expect_any_instance_of(::ApplicationController).to receive(:payola_can_modify_subscription?).and_return(false)
 
-        post :update_card, guid: @subscription.guid, stripeToken: 'tok_1234'
+        post :update_card, params: { guid: @subscription.guid, stripeToken: 'tok_1234' }
 
         expect(response).to redirect_to "/subdir/payola/confirm_subscription/#{@subscription.guid}"
         expect(request.flash[:alert]).to eq 'You cannot modify this subscription.'
       end
+
+      it "should throw error if controller doesn't define payola_can_modify_subscription?" do
+        expect(Payola::UpdateCard).to receive(:call).never
+        controller.instance_eval('undef :payola_can_modify_subscription?')
+
+        expect {
+          post :update_card, params: { guid: @subscription.guid, stripeToken: 'tok_1234' }
+        }.to raise_error(NotImplementedError)
+      end
     end
 
   end