From 903b2e7ff494c7b8ca04cd3de2598503b92390b8 Mon Sep 17 00:00:00 2001
From: Andy Brett <andy@andybrett.com>
Date: Mon, 11 Jan 2021 20:15:24 -0800
Subject: [PATCH] whitelist allowed events to be sent to a Payment

---
 .../spree/admin/payments_controller.rb        |  6 +++-
 .../payments/payments_controller_spec.rb      | 36 +++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/app/controllers/spree/admin/payments_controller.rb b/app/controllers/spree/admin/payments_controller.rb
index ee6847c10c..648632e537 100644
--- a/app/controllers/spree/admin/payments_controller.rb
+++ b/app/controllers/spree/admin/payments_controller.rb
@@ -56,7 +56,7 @@ module Spree
 
         # Because we have a transition method also called void, we do this to avoid conflicts.
         event = "void_transaction" if event == "void"
-        if @payment.public_send("#{event}!")
+        if allowed_events.include?(event) && @payment.public_send("#{event}!")
           flash[:success] = t(:payment_updated)
         else
           flash[:error] = t(:cannot_perform_operation)
@@ -162,6 +162,10 @@ module Spree
         PaymentMailer.authorize_payment(@payment).deliver_later
         raise Spree::Core::GatewayError, I18n.t('action_required')
       end
+
+      def allowed_events
+        %w{capture void_transaction credit refund resend_authorization_email}
+      end
     end
   end
 end
diff --git a/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb b/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
index f4cb9161c1..1e1437aee2 100644
--- a/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
+++ b/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
@@ -241,5 +241,41 @@ describe Spree::Admin::PaymentsController, type: :controller do
         expect(flash[:success]).to eq(I18n.t(:payment_updated))
       end
     end
+
+    context 'on resend_authorization_email event' do
+      let(:params) { { e: 'resend_authorization_email', order_id: order.number, id: payment.id } }
+      let(:mail_mock) { double(:mailer_mock, deliver_later: true) }
+
+      before do
+        allow(PaymentMailer).to receive(:authorize_payment) { mail_mock }
+        allow(request).to receive(:referer) { 'http://foo.com' }
+        allow(Spree::Payment).to receive(:find).with(payment.id.to_s) { payment }
+        allow(payment).to receive(:cvv_response_message).and_return("https://www.stripe.com/authorize")
+      end
+
+      it "resends the authorization email" do
+        spree_put :fire, params
+
+        expect(flash[:success]).to eq(I18n.t(:payment_updated))
+        expect(PaymentMailer).to have_received(:authorize_payment)
+        expect(mail_mock).to have_received(:deliver_later)
+      end
+    end
+
+    context 'on an unrecognized event' do
+      let(:params) { { e: 'unrecognized_event', order_id: order.number, id: payment.id } }
+
+      before do
+        allow(request).to receive(:referer) { 'http://foo.com' }
+        allow(Spree::Payment).to receive(:find).with(payment.id.to_s) { payment }
+      end
+
+      it 'does not process the event' do
+        spree_put :fire, params
+
+        expect(payment).to_not receive(:unrecognized_event)
+        expect(flash[:error]).to eq(I18n.t(:cannot_perform_operation))
+      end
+    end
   end
 end