enforce admin

cobudget-old · Apr 19, 2016 · a97fa3b · a97fa3b
1 parent 6a2c126
commit a97fa3b
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
@@ -35,15 +35,23 @@ def update
   api :POST, '/groups/:id/add_card', 'Add a credit card that pays for the group'
   def add_card
     group = Group.find(params[:id])
-    group.add_card(params[:stripeEmail], params[:stripeToken])
-    render status: 200, nothing: true
+    if current_user.is_admin_for?(group)
+      group.add_card(params[:stripeEmail], params[:stripeToken])
+      render status: 200, nothing: true
+    else
+      render status: 403, nothing: true
+    end
   end
 
   api :POST, '/groups/:id/extend_trial', 'Extend the group trial by 30 days'
   def extend_trial
     group = Group.find(params[:id])
-    group.extend_trial()
-    render status: 200, nothing: true
+    if current_user.is_admin_for?(group)
+      group.extend_trial()
+      render status: 200, nothing: true
+    else
+      render status: 403, nothing: true
+    end
   end
 
   private