mirror of
https://github.com/openfoodfoundation/openfoodnetwork
synced 2026-02-28 01:53:25 +00:00
whitelist allowed events to be sent to a Payment
This commit is contained in:
@@ -56,7 +56,7 @@ module Spree
|
||||
|
||||
# Because we have a transition method also called void, we do this to avoid conflicts.
|
||||
event = "void_transaction" if event == "void"
|
||||
if @payment.public_send("#{event}!")
|
||||
if allowed_events.include?(event) && @payment.public_send("#{event}!")
|
||||
flash[:success] = t(:payment_updated)
|
||||
else
|
||||
flash[:error] = t(:cannot_perform_operation)
|
||||
@@ -162,6 +162,10 @@ module Spree
|
||||
PaymentMailer.authorize_payment(@payment).deliver_later
|
||||
raise Spree::Core::GatewayError, I18n.t('action_required')
|
||||
end
|
||||
|
||||
def allowed_events
|
||||
%w{capture void_transaction credit refund resend_authorization_email}
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -241,5 +241,41 @@ describe Spree::Admin::PaymentsController, type: :controller do
|
||||
expect(flash[:success]).to eq(I18n.t(:payment_updated))
|
||||
end
|
||||
end
|
||||
|
||||
context 'on resend_authorization_email event' do
|
||||
let(:params) { { e: 'resend_authorization_email', order_id: order.number, id: payment.id } }
|
||||
let(:mail_mock) { double(:mailer_mock, deliver_later: true) }
|
||||
|
||||
before do
|
||||
allow(PaymentMailer).to receive(:authorize_payment) { mail_mock }
|
||||
allow(request).to receive(:referer) { 'http://foo.com' }
|
||||
allow(Spree::Payment).to receive(:find).with(payment.id.to_s) { payment }
|
||||
allow(payment).to receive(:cvv_response_message).and_return("https://www.stripe.com/authorize")
|
||||
end
|
||||
|
||||
it "resends the authorization email" do
|
||||
spree_put :fire, params
|
||||
|
||||
expect(flash[:success]).to eq(I18n.t(:payment_updated))
|
||||
expect(PaymentMailer).to have_received(:authorize_payment)
|
||||
expect(mail_mock).to have_received(:deliver_later)
|
||||
end
|
||||
end
|
||||
|
||||
context 'on an unrecognized event' do
|
||||
let(:params) { { e: 'unrecognized_event', order_id: order.number, id: payment.id } }
|
||||
|
||||
before do
|
||||
allow(request).to receive(:referer) { 'http://foo.com' }
|
||||
allow(Spree::Payment).to receive(:find).with(payment.id.to_s) { payment }
|
||||
end
|
||||
|
||||
it 'does not process the event' do
|
||||
spree_put :fire, params
|
||||
|
||||
expect(payment).to_not receive(:unrecognized_event)
|
||||
expect(flash[:error]).to eq(I18n.t(:cannot_perform_operation))
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user