From 0edf4e0ca1abfa588a8eaa8e2136cd42f1e2af66 Mon Sep 17 00:00:00 2001
From: Scott Erickson <sderickson@gmail.com>
Date: Thu, 4 Dec 2014 13:07:00 -0800
Subject: [PATCH] Fixed a MailChimp test. Fixed payment and subscription
 handlers to deny anonymous users. Hid the subscribe button from anonymous
 users.

---
 app/templates/account/payments-view.jade        | 2 +-
 server/payments/payment_handler.coffee          | 3 +++
 server/payments/subscription_handler.coffee     | 3 +++
 test/server/functional/payment.spec.coffee      | 6 ++++++
 test/server/functional/subscription.spec.coffee | 9 ++++++++-
 test/server/functional/user.spec.coffee         | 4 ++--
 6 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/app/templates/account/payments-view.jade b/app/templates/account/payments-view.jade
index cc488cbee..8b1e6e1d0 100644
--- a/app/templates/account/payments-view.jade
+++ b/app/templates/account/payments-view.jade
@@ -13,7 +13,7 @@ block content
   if subscribed
     button.end-subscription-button.btn.btn-lg.btn-warning(data-i18n="subscribe.unsubscribe") Unsubscribe
     .payment-status(data-i18n="account.status_subscribed")
-  else
+  else if !me.isAnonymous()
     button.start-subscription-button.btn.btn-lg.btn-success(data-i18n="subscribe.subscribe") Subscribe
     if active
       .payment-status(data-i18n="account.status_unsubscribed_active")
diff --git a/server/payments/payment_handler.coffee b/server/payments/payment_handler.coffee
index 9d17db898..f2e4f2bd4 100644
--- a/server/payments/payment_handler.coffee
+++ b/server/payments/payment_handler.coffee
@@ -56,6 +56,9 @@ PaymentHandler = class PaymentHandler extends Handler
     payment
 
   post: (req, res) ->
+    if (not req.user) or req.user.isAnonymous()
+      return @sendForbiddenError(res)
+    
     appleReceipt = req.body.apple?.rawReceipt
     appleTransactionID = req.body.apple?.transactionID
     appleLocalPrice = req.body.apple?.localPrice
diff --git a/server/payments/subscription_handler.coffee b/server/payments/subscription_handler.coffee
index e82fcb9e3..231f059d4 100644
--- a/server/payments/subscription_handler.coffee
+++ b/server/payments/subscription_handler.coffee
@@ -16,6 +16,9 @@ class SubscriptionHandler extends Handler
     console.warn "Subscription Error: #{req.user.get('slug')} (#{req.user._id}): '#{msg}'"
 
   subscribeUser: (req, user, done) ->
+    if (not req.user) or req.user.isAnonymous()
+      return done({res: 'You must be signed in to subscribe.', code: 403})
+
     stripeToken = req.body.stripe?.token
     extantCustomerID = user.get('stripe')?.customerID
     if not (stripeToken or extantCustomerID)
diff --git a/test/server/functional/payment.spec.coffee b/test/server/functional/payment.spec.coffee
index 34961b690..26cb4cb44 100644
--- a/test/server/functional/payment.spec.coffee
+++ b/test/server/functional/payment.spec.coffee
@@ -31,6 +31,12 @@ describe '/db/payment', ->
       done()
 
   describe 'posting Apple IAPs', ->
+    
+    it 'denies anonymous users trying to pay', (done) ->
+      request.get getURL('/auth/whoami'), ->
+        request.post {uri: paymentURL, json: firstApplePayment}, (err, res, body) ->
+          expect(res.statusCode).toBe 403
+          done()
       
     it 'creates a payment object and credits gems to the user', (done) ->
       loginJoe ->
diff --git a/test/server/functional/subscription.spec.coffee b/test/server/functional/subscription.spec.coffee
index 57bd86e09..f2e5d37b4 100644
--- a/test/server/functional/subscription.spec.coffee
+++ b/test/server/functional/subscription.spec.coffee
@@ -91,6 +91,14 @@ describe '/db/user, editing stripe property', ->
       throw err if err
       done()
 
+  it 'denies anonymous users trying to subscribe', (done) ->
+    request.get getURL('/auth/whoami'), (err, res, body) ->
+      body = JSON.parse(body)
+      body.stripe = { planID: 'basic', token: '12345' }
+      request.put {uri: userURL, json: body}, (err, res, body) ->
+        expect(res.statusCode).toBe 403
+        done()
+
   #- shared data between tests
   joeData = null
   firstSubscriptionID = null
@@ -202,7 +210,6 @@ describe '/db/user, editing stripe property', ->
     joeData.email = 'newEmail@gmail.com'
     request.put {uri: userURL, json: joeData }, (err, res, body) ->
       f = -> stripe.customers.retrieve joeData.stripe.customerID, (err, customer) ->
-        console.log 'customer?', customer
         expect(customer.email).toBe('newEmail@gmail.com')
         done()
       setTimeout(f, 500) # bit of a race condition here, response returns before stripe has been updated
diff --git a/test/server/functional/user.spec.coffee b/test/server/functional/user.spec.coffee
index e78b53f43..6952e3760 100644
--- a/test/server/functional/user.spec.coffee
+++ b/test/server/functional/user.spec.coffee
@@ -28,7 +28,7 @@ describe 'Server user object', ->
     expect(JSON.stringify(user.get('emailSubscriptions'))).toBe(JSON.stringify(['tester', 'level_creator']))
     done()
 
-describe 'User.updateMailChimp', ->
+describe 'User.updateServiceSettings', ->
   makeMC = (callback) ->
     GLOBAL.mc =
       lists:
@@ -40,7 +40,7 @@ describe 'User.updateMailChimp', ->
       done()
 
     user = new User({emailSubscriptions: ['announcement'], email: 'tester@gmail.com'})
-    User.updateMailChimp(user)
+    User.updateServiceSettings(user)
 
 describe 'POST /db/user', ->