Skip to content

Commit

Permalink
Merge pull request #4261 from spaghetticode/spaghetticode/fix-order-c…
Browse files Browse the repository at this point in the history
…reate-permissions

Fix order create permissions
  • Loading branch information
waiting-for-dev authored Mar 3, 2022
2 parents 02c4205 + 18cf175 commit fde58ec
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 9 deletions.
10 changes: 4 additions & 6 deletions backend/app/views/spree/admin/orders/index.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<li>
<%= link_to t('spree.new_order'), new_admin_order_url, id: 'admin_new_order', class: 'btn btn-primary' %>
</li>
<% end if can? :manage, Spree::Order %>
<% end if can? :create, Spree::Order %>

<% content_for :table_filter_title do %>
<%= t('spree.filter') %>
Expand Down Expand Up @@ -191,11 +191,9 @@
</table>
<% else %>
<div class="no-objects-found">
<% if can? :manage, Spree::Order %>
<%= render 'spree/admin/shared/no_objects_found',
resource: Spree::Order,
new_resource_url: spree.new_admin_order_path %>
<% end %>
<%= render 'spree/admin/shared/no_objects_found',
resource: Spree::Order,
new_resource_url: spree.new_admin_order_path %>
</div>
<% end %>

Expand Down
9 changes: 8 additions & 1 deletion core/lib/spree/permission_sets/default_customer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,14 @@ def activate!
can :read, Country
can :read, OptionType
can :read, OptionValue
can :create, Order
can :create, Order do |order, token|
# same user, or both nil
order.user == user ||
# guest checkout order
order.email.present? ||
# via API, just like with show and update
(order.guest_token.present? && token == order.guest_token)
end
can [:show, :update], Order, Order.where(user: user) do |order, token|
order.user == user || (order.guest_token.present? && token == order.guest_token)
end
Expand Down
4 changes: 2 additions & 2 deletions core/spec/models/spree/ability_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ def initialize(user)
context 'requested by other user' do
before(:each) { resource.user = Spree.user_class.new }
it { expect(ability).not_to be_able_to(:show, resource) }
it_should_behave_like 'create only'
it { expect(ability).to_not be_able_to(:create, resource) }
end

context 'requested with proper token' do
Expand All @@ -189,7 +189,7 @@ def initialize(user)
let(:token) { 'FAIL' }
before(:each) { allow(resource).to receive_messages guest_token: 'TOKEN123' }
it { expect(ability).not_to be_able_to(:show, resource, token) }
it_should_behave_like 'create only'
it { expect(ability).to_not be_able_to(:create, resource, token) }
end
end

Expand Down

0 comments on commit fde58ec

Please sign in to comment.