diff --git a/app/templates/account/payments-view.jade b/app/templates/account/payments-view.jade index cc488cbee..8b1e6e1d0 100644 --- a/app/templates/account/payments-view.jade +++ b/app/templates/account/payments-view.jade @@ -13,7 +13,7 @@ block content if subscribed button.end-subscription-button.btn.btn-lg.btn-warning(data-i18n="subscribe.unsubscribe") Unsubscribe .payment-status(data-i18n="account.status_subscribed") - else + else if !me.isAnonymous() button.start-subscription-button.btn.btn-lg.btn-success(data-i18n="subscribe.subscribe") Subscribe if active .payment-status(data-i18n="account.status_unsubscribed_active") diff --git a/server/payments/payment_handler.coffee b/server/payments/payment_handler.coffee index 9d17db898..f2e4f2bd4 100644 --- a/server/payments/payment_handler.coffee +++ b/server/payments/payment_handler.coffee @@ -56,6 +56,9 @@ PaymentHandler = class PaymentHandler extends Handler payment post: (req, res) -> + if (not req.user) or req.user.isAnonymous() + return @sendForbiddenError(res) + appleReceipt = req.body.apple?.rawReceipt appleTransactionID = req.body.apple?.transactionID appleLocalPrice = req.body.apple?.localPrice diff --git a/server/payments/subscription_handler.coffee b/server/payments/subscription_handler.coffee index e82fcb9e3..231f059d4 100644 --- a/server/payments/subscription_handler.coffee +++ b/server/payments/subscription_handler.coffee @@ -16,6 +16,9 @@ class SubscriptionHandler extends Handler console.warn "Subscription Error: #{req.user.get('slug')} (#{req.user._id}): '#{msg}'" subscribeUser: (req, user, done) -> + if (not req.user) or req.user.isAnonymous() + return done({res: 'You must be signed in to subscribe.', code: 403}) + stripeToken = req.body.stripe?.token extantCustomerID = user.get('stripe')?.customerID if not (stripeToken or extantCustomerID) diff --git a/test/server/functional/payment.spec.coffee b/test/server/functional/payment.spec.coffee index 34961b690..26cb4cb44 100644 --- a/test/server/functional/payment.spec.coffee +++ b/test/server/functional/payment.spec.coffee @@ -31,6 +31,12 @@ describe '/db/payment', -> done() describe 'posting Apple IAPs', -> + + it 'denies anonymous users trying to pay', (done) -> + request.get getURL('/auth/whoami'), -> + request.post {uri: paymentURL, json: firstApplePayment}, (err, res, body) -> + expect(res.statusCode).toBe 403 + done() it 'creates a payment object and credits gems to the user', (done) -> loginJoe -> diff --git a/test/server/functional/subscription.spec.coffee b/test/server/functional/subscription.spec.coffee index 57bd86e09..f2e5d37b4 100644 --- a/test/server/functional/subscription.spec.coffee +++ b/test/server/functional/subscription.spec.coffee @@ -91,6 +91,14 @@ describe '/db/user, editing stripe property', -> throw err if err done() + it 'denies anonymous users trying to subscribe', (done) -> + request.get getURL('/auth/whoami'), (err, res, body) -> + body = JSON.parse(body) + body.stripe = { planID: 'basic', token: '12345' } + request.put {uri: userURL, json: body}, (err, res, body) -> + expect(res.statusCode).toBe 403 + done() + #- shared data between tests joeData = null firstSubscriptionID = null @@ -202,7 +210,6 @@ describe '/db/user, editing stripe property', -> joeData.email = 'newEmail@gmail.com' request.put {uri: userURL, json: joeData }, (err, res, body) -> f = -> stripe.customers.retrieve joeData.stripe.customerID, (err, customer) -> - console.log 'customer?', customer expect(customer.email).toBe('newEmail@gmail.com') done() setTimeout(f, 500) # bit of a race condition here, response returns before stripe has been updated diff --git a/test/server/functional/user.spec.coffee b/test/server/functional/user.spec.coffee index e78b53f43..6952e3760 100644 --- a/test/server/functional/user.spec.coffee +++ b/test/server/functional/user.spec.coffee @@ -28,7 +28,7 @@ describe 'Server user object', -> expect(JSON.stringify(user.get('emailSubscriptions'))).toBe(JSON.stringify(['tester', 'level_creator'])) done() -describe 'User.updateMailChimp', -> +describe 'User.updateServiceSettings', -> makeMC = (callback) -> GLOBAL.mc = lists: @@ -40,7 +40,7 @@ describe 'User.updateMailChimp', -> done() user = new User({emailSubscriptions: ['announcement'], email: 'tester@gmail.com'}) - User.updateMailChimp(user) + User.updateServiceSettings(user) describe 'POST /db/user', ->