solidusio · waiting-for-dev · Mar 3, 2022 · Jan 31, 2022 · Feb 9, 2022 · Feb 9, 2022
diff --git a/backend/app/views/spree/admin/orders/index.html.erb b/backend/app/views/spree/admin/orders/index.html.erb
@@ -7,7 +7,7 @@
   <li>
     <%= link_to t('spree.new_order'), new_admin_order_url, id: 'admin_new_order', class: 'btn btn-primary' %>
   </li>
-<% end if can? :manage, Spree::Order %>
+<% end if can? :create, Spree::Order %>
 
 <% content_for :table_filter_title do %>
   <%= t('spree.filter') %>
@@ -191,11 +191,9 @@
   </table>
 <% else %>
   <div class="no-objects-found">
-    <% if can? :manage, Spree::Order %>
-      <%= render 'spree/admin/shared/no_objects_found',
-                   resource: Spree::Order,
-                   new_resource_url: spree.new_admin_order_path %>
-    <% end %>
+    <%= render 'spree/admin/shared/no_objects_found',
+               resource: Spree::Order,
+               new_resource_url: spree.new_admin_order_path %>
   </div>
 <% end %>
 

diff --git a/core/lib/spree/permission_sets/default_customer.rb b/core/lib/spree/permission_sets/default_customer.rb
@@ -7,7 +7,14 @@ def activate!
         can :read, Country
         can :read, OptionType
         can :read, OptionValue
-        can :create, Order
+        can :create, Order do |order, token|
+          # same user, or both nil
+          order.user == user ||
+          # guest checkout order
+          order.email.present? ||
+          # via API, just like with show and update
+          (order.guest_token.present? && token == order.guest_token)
+        end
         can [:show, :update], Order, Order.where(user: user) do |order, token|
           order.user == user || (order.guest_token.present? && token == order.guest_token)
         end

diff --git a/core/spec/models/spree/ability_spec.rb b/core/spec/models/spree/ability_spec.rb
@@ -175,7 +175,7 @@ def initialize(user)
       context 'requested by other user' do
         before(:each) { resource.user = Spree.user_class.new }
         it { expect(ability).not_to be_able_to(:show, resource) }
-        it_should_behave_like 'create only'
+        it { expect(ability).to_not be_able_to(:create, resource) }
       end
 
       context 'requested with proper token' do
@@ -189,7 +189,7 @@ def initialize(user)
         let(:token) { 'FAIL' }
         before(:each) { allow(resource).to receive_messages guest_token: 'TOKEN123' }
         it { expect(ability).not_to be_able_to(:show, resource, token) }
-        it_should_behave_like 'create only'
+        it { expect(ability).to_not be_able_to(:create, resource, token) }
       end
     end