From a97fa3b351a5d02729a637c7803e99fa5630a21a Mon Sep 17 00:00:00 2001
From: Connor Turland <connorturland@gmail.com>
Date: Tue, 19 Apr 2016 12:44:13 -0400
Subject: [PATCH] enforce admin

---
 app/controllers/groups_controller.rb | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 6ed3b2ed3..b8f3ae8e1 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -35,15 +35,23 @@ def update
   api :POST, '/groups/:id/add_card', 'Add a credit card that pays for the group'
   def add_card
     group = Group.find(params[:id])
-    group.add_card(params[:stripeEmail], params[:stripeToken])
-    render status: 200, nothing: true
+    if current_user.is_admin_for?(group)
+      group.add_card(params[:stripeEmail], params[:stripeToken])
+      render status: 200, nothing: true
+    else
+      render status: 403, nothing: true
+    end
   end
 
   api :POST, '/groups/:id/extend_trial', 'Extend the group trial by 30 days'
   def extend_trial
     group = Group.find(params[:id])
-    group.extend_trial()
-    render status: 200, nothing: true
+    if current_user.is_admin_for?(group)
+      group.extend_trial()
+      render status: 200, nothing: true
+    else
+      render status: 403, nothing: true
+    end
   end
 
   private