cf0979157f
We check authorization for all billin-related operations once with
authorize("Project:billing", @project.id).
After that, users can provide any resource ID from other projects to
delete payment method and usage alert, or get invoice details.
It's important that customers can only access their own resources.
30 lines
851 B
Ruby
30 lines
851 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Clover
|
|
hash_branch(:project_prefix, "usage-alert") do |r|
|
|
r.web do
|
|
authorize("Project:billing", @project.id)
|
|
|
|
r.post true do
|
|
name = r.params["alert_name"]
|
|
Validation.validate_short_text(name, "name")
|
|
limit = Validation.validate_usage_limit(r.params["limit"])
|
|
|
|
UsageAlert.create_with_id(project_id: @project.id, user_id: current_account_id, name: name, limit: limit)
|
|
|
|
r.redirect "#{@project.path}/billing"
|
|
end
|
|
|
|
r.is String do |usage_alert_ubid|
|
|
next unless (usage_alert = UsageAlert.from_ubid(usage_alert_ubid)) && usage_alert.project_id == @project.id
|
|
|
|
r.delete true do
|
|
usage_alert.destroy
|
|
flash["notice"] = "Usage alert #{usage_alert.name} is deleted."
|
|
204
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|