whitelist allowed events to be sent to a Payment

2026-02-28 01:53:25 +00:00 · 2021-01-11 20:15:24 -08:00
parent ab5ffead1d
commit 903b2e7ff4
2 changed files with 41 additions and 1 deletions
--- a/app/controllers/spree/admin/payments_controller.rb
+++ b/app/controllers/spree/admin/payments_controller.rb
@@ -56,7 +56,7 @@ module Spree

        # Because we have a transition method also called void, we do this to avoid conflicts.
        event = "void_transaction" if event == "void"
-        if @payment.public_send("#{event}!")
+        if allowed_events.include?(event) && @payment.public_send("#{event}!")
          flash[:success] = t(:payment_updated)
        else
          flash[:error] = t(:cannot_perform_operation)
@@ -162,6 +162,10 @@ module Spree
        PaymentMailer.authorize_payment(@payment).deliver_later
        raise Spree::Core::GatewayError, I18n.t('action_required')
      end
+
+      def allowed_events
+        %w{capture void_transaction credit refund resend_authorization_email}
+      end
    end
  end
 end
--- a/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
+++ b/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
@@ -241,5 +241,41 @@ describe Spree::Admin::PaymentsController, type: :controller do
        expect(flash[:success]).to eq(I18n.t(:payment_updated))
      end
    end
+
+    context 'on resend_authorization_email event' do
+      let(:params) { { e: 'resend_authorization_email', order_id: order.number, id: payment.id } }
+      let(:mail_mock) { double(:mailer_mock, deliver_later: true) }
+
+      before do
+        allow(PaymentMailer).to receive(:authorize_payment) { mail_mock }
+        allow(request).to receive(:referer) { 'http://foo.com' }
+        allow(Spree::Payment).to receive(:find).with(payment.id.to_s) { payment }
+        allow(payment).to receive(:cvv_response_message).and_return("https://www.stripe.com/authorize")
+      end
+
+      it "resends the authorization email" do
+        spree_put :fire, params
+
+        expect(flash[:success]).to eq(I18n.t(:payment_updated))
+        expect(PaymentMailer).to have_received(:authorize_payment)
+        expect(mail_mock).to have_received(:deliver_later)
+      end
+    end
+
+    context 'on an unrecognized event' do
+      let(:params) { { e: 'unrecognized_event', order_id: order.number, id: payment.id } }
+
+      before do
+        allow(request).to receive(:referer) { 'http://foo.com' }
+        allow(Spree::Payment).to receive(:find).with(payment.id.to_s) { payment }
+      end
+
+      it 'does not process the event' do
+        spree_put :fire, params
+
+        expect(payment).to_not receive(:unrecognized_event)
+        expect(flash[:error]).to eq(I18n.t(:cannot_perform_operation))
+      end
+    end
  end
 end