Migrate ability to permission sets

Custom abilities are deprecated in favor of the new permission sets
API.

7 files changed, 97 insertions, 26 deletions

diff --git a/config/initializers/permission_sets.rb b/config/initializers/permission_sets.rb
new file mode 100644
index 0000000..b4acf71
--- /dev/null
+++ b/config/initializers/permission_sets.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+Spree.config do |config|
+  config.roles.assign_permissions :default, %w[
+    SolidusSubscriptions::PermissionSets::SubscriptionManagement
+  ]
+end
diff --git a/lib/solidus_subscriptions.rb b/lib/solidus_subscriptions.rb
index a6b2edf..21a9b40 100644
--- a/lib/solidus_subscriptions.rb
+++ b/lib/solidus_subscriptions.rb
@@ -7,7 +7,7 @@ require 'deface'
 require 'state_machines'
 
 require 'solidus_subscriptions/configuration'
-require 'solidus_subscriptions/ability'
+require 'solidus_subscriptions/permission_sets/subscription_management'
 require 'solidus_subscriptions/version'
 require 'solidus_subscriptions/engine'
 
diff --git a/lib/solidus_subscriptions/ability.rb b/lib/solidus_subscriptions/ability.rb
deleted file mode 100644
index 55b6344..0000000
--- a/lib/solidus_subscriptions/ability.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module SolidusSubscriptions
-  class Ability
-    include CanCan::Ability
-
-    def initialize(user)
-      if user.has_spree_role?('admin')
-        can(:manage, LineItem)
-        can(:manage, Subscription)
-      else
-        can([:index, :show, :create, :update, :destroy, :skip, :cancel], Subscription, user_id: user.id)
-        can([:index, :show, :create, :update, :destroy], LineItem) do |line_item, order|
-          line_item.order.user == user || line_item.order == order
-        end
-      end
-    end
-  end
-end
diff --git a/lib/solidus_subscriptions/engine.rb b/lib/solidus_subscriptions/engine.rb
index ad43db3..c45ecfc 100644
--- a/lib/solidus_subscriptions/engine.rb
+++ b/lib/solidus_subscriptions/engine.rb
@@ -47,12 +47,6 @@ module SolidusSubscriptions
         )
       end
     end
-
-    def self.activate
-      ::Spree::Ability.register_ability(SolidusSubscriptions::Ability)
-    end
-
-    config.to_prepare(&method(:activate).to_proc)
   end
 
   def self.table_name_prefix
diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
new file mode 100644
index 0000000..8f5edfb
--- /dev/null
+++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module SolidusSubscriptions
+  module PermissionSets
+    class SubscriptionManagement < ::Spree::PermissionSets::Base
+      def activate!
+        can :manage, Subscription do |subscription|
+          subscription.user == user
+        end
+
+        can :manage, LineItem do |line_item, order|
+          (line_item.order && line_item.order == order) ||
+            (line_item.order&.user && line_item.order.user == user)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb
new file mode 100644
index 0000000..779fc9b
--- /dev/null
+++ b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb
@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+RSpec.describe SolidusSubscriptions::PermissionSets::SubscriptionManagement do
+  it 'is allowed to manage their subscriptions' do
+    user = create(:user)
+    subscription = create(:subscription, user: user)
+
+    ability = Spree::Ability.new(user)
+    permission_set = described_class.new(ability)
+    permission_set.activate!
+
+    expect(ability).to be_able_to(:manage, subscription)
+  end
+
+  it "is allowed to manage someone else's subscriptions" do
+    user = create(:user)
+    subscription = create(:subscription)
+
+    ability = Spree::Ability.new(user)
+    permission_set = described_class.new(ability)
+    permission_set.activate!
+
+    expect(ability).not_to be_able_to(:manage, subscription)
+  end
+
+  it 'is allowed to manage line items on their orders' do
+    user = create(:user)
+    order = create(:order, user: user)
+    line_item = create(
+      :subscription_line_item,
+      spree_line_item: create(:line_item, order: create(:order, user: user)),
+    )
+
+    ability = Spree::Ability.new(user)
+    permission_set = described_class.new(ability)
+    permission_set.activate!
+
+    expect(ability).to be_able_to(:manage, line_item, order)
+  end
+
+  it 'is allowed to manage line items on the given order' do
+    user = create(:user)
+    order = create(:order, user: user)
+    line_item = create(
+      :subscription_line_item,
+      spree_line_item: create(:line_item, order: order),
+    )
+
+    ability = Spree::Ability.new(user)
+    permission_set = described_class.new(ability)
+    permission_set.activate!
+
+    expect(ability).to be_able_to(:manage, line_item, order)
+  end
+
+  it "is not allowed to manage line items on someone else's orders" do
+    user = create(:user)
+    order = create(:order)
+    line_item = create(
+      :subscription_line_item,
+      spree_line_item: create(:line_item),
+    )
+
+    ability = Spree::Ability.new(user)
+    permission_set = described_class.new(ability)
+    permission_set.activate!
+
+    expect(ability).not_to be_able_to(:manage, line_item, order)
+  end
+end
diff --git a/spec/support/cancancan.rb b/spec/support/cancancan.rb
new file mode 100644
index 0000000..7fdda0c
--- /dev/null
+++ b/spec/support/cancancan.rb
@@ -0,0 +1 @@
+require 'cancan/matchers'