Fix DefaultCustomer permission set giving guests access to admin

The DefaultCustomer permission set would allow guests to see the subscriptions list (although they wouldn't be able to see any subscriptions).
author: Alessandro Desantis <desa.alessandro@gmail.com> 2020-10-14 10:31:15 +0200
committer: Alessandro Desantis <desa.alessandro@gmail.com> 2020-10-21 11:49:29 +0200
commit: 204ac4bbaadac79bc4dfa1ac3c12b3be421d4622 (patch)
tree: 17ccc7a0b6eeed26bd4907d7e1f736fb45b4bc1d
parent: 8ff161a4b02d395ec81f9f6331e0e11f8e81363c (diff)
2 files changed, 18 insertions, 18 deletions
diff --git a/lib/solidus_subscriptions/permission_sets/default_customer.rb b/lib/solidus_subscriptions/permission_sets/default_customer.rb
index df9845e..ebe888e 100644
--- a/lib/solidus_subscriptions/permission_sets/default_customer.rb
+++ b/lib/solidus_subscriptions/permission_sets/default_customer.rb
@@ -4,12 +4,12 @@ module SolidusSubscriptions
   module PermissionSets
     class DefaultCustomer < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription, ['user_id = ?', user.id] do |subscription, guest_token|
+        can [:display, :update, :skip, :cancel], Subscription, ['user_id = ?', user.id] do |subscription, guest_token|
           (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
             (subscription.user && subscription.user == user)
         end
 
-        can :manage, LineItem do |line_item, guest_token|
+        can [:display, :update, :destroy], LineItem do |line_item, guest_token|
           (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) ||
             (line_item.subscription&.user && line_item.subscription.user == user)
         end
diff --git a/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb b/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb
index 222f260..7865aab 100644
--- a/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb
+++ b/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb
@@ -2,7 +2,7 @@
 
 RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
   context 'when the user is authenticated' do
-    it 'is allowed to manage their subscriptions' do
+    it 'is allowed to display and update their subscriptions' do
       user = create(:user)
       subscription = create(:subscription, user: user)
 
@@ -10,10 +10,10 @@ RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).to be_able_to(:manage, subscription)
+      expect(ability).to be_able_to([:display, :update], subscription)
     end
 
-    it "is allowed to manage someone else's subscriptions" do
+    it "is not allowed to display or update someone else's subscriptions" do
       user = create(:user)
       subscription = create(:subscription)
 
@@ -21,10 +21,10 @@ RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).not_to be_able_to(:manage, subscription)
+      expect(ability).not_to be_able_to([:display, :update], subscription)
     end
 
-    it 'is allowed to manage line items on their subscriptions' do
+    it 'is allowed to display and update line items on their subscriptions' do
       user = create(:user)
       subscription = create(:subscription, user: user)
       line_item = create(:subscription_line_item, subscription: subscription)
@@ -33,10 +33,10 @@ RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).to be_able_to(:manage, line_item)
+      expect(ability).to be_able_to([:display, :update], line_item)
     end
 
-    it "is not allowed to manage line items on someone else's subscriptions" do
+    it "is not allowed to display or update line items on someone else's subscriptions" do
       user = create(:user)
       subscription = create(:subscription)
       line_item = create(:subscription_line_item, subscription: subscription)
@@ -45,32 +45,32 @@ RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).not_to be_able_to(:manage, line_item)
+      expect(ability).not_to be_able_to([:display, :update], line_item)
     end
   end
 
   context 'when the user provides a guest token' do
-    it 'is allowed to manage their subscriptions' do
+    it 'is allowed to display and update their subscriptions' do
       subscription = create(:subscription)
 
       ability = Spree::Ability.new(nil)
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).to be_able_to(:manage, subscription, subscription.guest_token)
+      expect(ability).to be_able_to([:display, :update], subscription, subscription.guest_token)
     end
 
-    it "is allowed to manage someone else's subscriptions" do
+    it "is not allowed to display or update someone else's subscriptions" do
       subscription = create(:subscription)
 
       ability = Spree::Ability.new(nil)
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).not_to be_able_to(:manage, subscription, 'invalid')
+      expect(ability).not_to be_able_to([:display, :update], subscription, 'invalid')
     end
 
-    it 'is allowed to manage line items on their subscriptions' do
+    it 'is allowed to display and update line items on their subscriptions' do
       subscription = create(:subscription)
       line_item = create(:subscription_line_item, subscription: subscription)
 
@@ -78,10 +78,10 @@ RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).to be_able_to(:manage, line_item, subscription.guest_token)
+      expect(ability).to be_able_to([:display, :update], line_item, subscription.guest_token)
     end
 
-    it "is not allowed to manage line items on someone else's subscriptions" do
+    it "is not allowed to display or update line items on someone else's subscriptions" do
       subscription = create(:subscription)
       line_item = create(:subscription_line_item, subscription: subscription)
 
@@ -89,7 +89,7 @@ RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do
       permission_set = described_class.new(ability)
       permission_set.activate!
 
-      expect(ability).not_to be_able_to(:manage, line_item, 'invalid')
+      expect(ability).not_to be_able_to([:display, :update], line_item, 'invalid')
     end
   end
 end
author	Alessandro Desantis <desa.alessandro@gmail.com>	2020-10-14 10:31:15 +0200
committer	Alessandro Desantis <desa.alessandro@gmail.com>	2020-10-21 11:49:29 +0200
commit	204ac4bbaadac79bc4dfa1ac3c12b3be421d4622 (patch)
tree	17ccc7a0b6eeed26bd4907d7e1f736fb45b4bc1d
parent	8ff161a4b02d395ec81f9f6331e0e11f8e81363c (diff)