From ea535d86b230cba8ceb1034e3908ab17d7f5420b Mon Sep 17 00:00:00 2001
From: Du Peng <gnepud@gmail.com>
Date: Sat, 27 Aug 2022 18:59:59 +0200
Subject: [PATCH] add checkout policy

---
 app/controllers/api/checkout_controller.rb |  4 +++-
 app/policies/checkout_policy.rb            | 10 ++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 app/policies/checkout_policy.rb

diff --git a/app/controllers/api/checkout_controller.rb b/app/controllers/api/checkout_controller.rb
index 45da6a63e..05e5faa84 100644
--- a/app/controllers/api/checkout_controller.rb
+++ b/app/controllers/api/checkout_controller.rb
@@ -8,7 +8,8 @@ class API::CheckoutController < API::ApiController
   before_action :ensure_order
 
   def payment
-    if order.statistic_profile_id.nil? && current_user.privileged?
+    authorize @current_order, policy_class: CheckoutPolicy
+    if @current_order.statistic_profile_id.nil? && current_user.privileged?
       user = User.find(params[:customer_id])
       @current_order.statistic_profile = user.statistic_profile
     end
@@ -20,6 +21,7 @@ class API::CheckoutController < API::ApiController
   end
 
   def confirm_payment
+    authorize @current_order, policy_class: CheckoutPolicy
     res = Checkout::PaymentService.new.confirm_payment(@current_order, current_user, params[:coupon_code], params[:payment_id])
     render json: res
   rescue StandardError => e
diff --git a/app/policies/checkout_policy.rb b/app/policies/checkout_policy.rb
new file mode 100644
index 000000000..045361caf
--- /dev/null
+++ b/app/policies/checkout_policy.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::CheckoutController
+class CheckoutPolicy < ApplicationPolicy
+  %w[payment confirm_payment].each do |action|
+    define_method "#{action}?" do
+      return user.privileged? || (record.statistic_profile_id == user.statistic_profile.id)
+    end
+  end
+end