diff options
author | Alessandro Desantis <desa.alessandro@gmail.com> | 2020-10-09 10:37:05 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-09 10:37:05 +0200 |
commit | ceb0b5a3c7d21213afdf75e496db98ae51640098 (patch) | |
tree | 9043f9b2f5e25a10482df08ba0862d507bc63fbe | |
parent | 4bafb311fe180f3cc0bb38f01f24f2b487e8be8b (diff) | |
parent | 01b44797c96d696ca25d359550eba3426bd2b24d (diff) |
Merge pull request #159 from solidusio-contrib/aldesantis/permissions-fix
Add scope to permission set
8 files changed, 138 insertions, 95 deletions
diff --git a/app/controllers/spree/admin/subscriptions_controller.rb b/app/controllers/spree/admin/subscriptions_controller.rb index 6c92ace..7db4c77 100644 --- a/app/controllers/spree/admin/subscriptions_controller.rb +++ b/app/controllers/spree/admin/subscriptions_controller.rb @@ -6,7 +6,7 @@ module Spree skip_before_action :load_resource, only: :index def index - @search = SolidusSubscriptions::Subscription.ransack(params[:q]) + @search = SolidusSubscriptions::Subscription.accessible_by(current_ability).ransack(params[:q]) @subscriptions = @search.result(distinct: true). includes(:line_items, :user). page(params[:page]). diff --git a/bin/rails-sandbox b/bin/rails-sandbox index ad2df04..55e33d9 100755 --- a/bin/rails-sandbox +++ b/bin/rails-sandbox @@ -5,7 +5,7 @@ app_root = 'sandbox' unless File.exist? "#{app_root}/bin/rails" warn 'Creating the sandbox app...' Dir.chdir "#{__dir__}/.." do - system "#{__dir__}/sandbox" or begin + system "#{__dir__}/sandbox" or begin # rubocop:disable Style/RedundantBegin warn 'Automatic creation of the sandbox app failed' exit 1 end diff --git a/config/initializers/permission_sets.rb b/config/initializers/permission_sets.rb index b4acf71..047f062 100644 --- a/config/initializers/permission_sets.rb +++ b/config/initializers/permission_sets.rb @@ -2,6 +2,10 @@ Spree.config do |config| config.roles.assign_permissions :default, %w[ + SolidusSubscriptions::PermissionSets::DefaultCustomer + ] + + config.roles.assign_permissions :admin, %w[ SolidusSubscriptions::PermissionSets::SubscriptionManagement ] end diff --git a/lib/solidus_subscriptions.rb b/lib/solidus_subscriptions.rb index 21a9b40..039b172 100644 --- a/lib/solidus_subscriptions.rb +++ b/lib/solidus_subscriptions.rb @@ -7,6 +7,7 @@ require 'deface' require 'state_machines' require 'solidus_subscriptions/configuration' +require 'solidus_subscriptions/permission_sets/default_customer' require 'solidus_subscriptions/permission_sets/subscription_management' require 'solidus_subscriptions/version' require 'solidus_subscriptions/engine' diff --git a/lib/solidus_subscriptions/permission_sets/default_customer.rb b/lib/solidus_subscriptions/permission_sets/default_customer.rb new file mode 100644 index 0000000..df9845e --- /dev/null +++ b/lib/solidus_subscriptions/permission_sets/default_customer.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module SolidusSubscriptions + module PermissionSets + class DefaultCustomer < ::Spree::PermissionSets::Base + def activate! + can :manage, Subscription, ['user_id = ?', user.id] do |subscription, guest_token| + (subscription.guest_token.present? && subscription.guest_token == guest_token) || + (subscription.user && subscription.user == user) + end + + can :manage, LineItem do |line_item, guest_token| + (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) || + (line_item.subscription&.user && line_item.subscription.user == user) + end + end + end + end +end diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb index c669368..f96ed53 100644 --- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb +++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb @@ -4,15 +4,8 @@ module SolidusSubscriptions module PermissionSets class SubscriptionManagement < ::Spree::PermissionSets::Base def activate! - can :manage, Subscription do |subscription, guest_token| - (subscription.guest_token.present? && subscription.guest_token == guest_token) || - (subscription.user && subscription.user == user) - end - - can :manage, LineItem do |line_item, guest_token| - (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) || - (line_item.subscription&.user && line_item.subscription.user == user) - end + can :manage, Subscription + can :manage, LineItem end end end diff --git a/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb b/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb new file mode 100644 index 0000000..222f260 --- /dev/null +++ b/spec/lib/solidus_subscriptions/permission_sets/default_customer_spec.rb @@ -0,0 +1,95 @@ +# frozen_string_literal: true + +RSpec.describe SolidusSubscriptions::PermissionSets::DefaultCustomer do + context 'when the user is authenticated' do + it 'is allowed to manage their subscriptions' do + user = create(:user) + subscription = create(:subscription, user: user) + + ability = Spree::Ability.new(user) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).to be_able_to(:manage, subscription) + end + + it "is allowed to manage someone else's subscriptions" do + user = create(:user) + subscription = create(:subscription) + + ability = Spree::Ability.new(user) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).not_to be_able_to(:manage, subscription) + end + + it 'is allowed to manage line items on their subscriptions' do + user = create(:user) + subscription = create(:subscription, user: user) + line_item = create(:subscription_line_item, subscription: subscription) + + ability = Spree::Ability.new(user) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).to be_able_to(:manage, line_item) + end + + it "is not allowed to manage line items on someone else's subscriptions" do + user = create(:user) + subscription = create(:subscription) + line_item = create(:subscription_line_item, subscription: subscription) + + ability = Spree::Ability.new(user) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).not_to be_able_to(:manage, line_item) + end + end + + context 'when the user provides a guest token' do + it 'is allowed to manage their subscriptions' do + subscription = create(:subscription) + + ability = Spree::Ability.new(nil) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).to be_able_to(:manage, subscription, subscription.guest_token) + end + + it "is allowed to manage someone else's subscriptions" do + subscription = create(:subscription) + + ability = Spree::Ability.new(nil) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).not_to be_able_to(:manage, subscription, 'invalid') + end + + it 'is allowed to manage line items on their subscriptions' do + subscription = create(:subscription) + line_item = create(:subscription_line_item, subscription: subscription) + + ability = Spree::Ability.new(nil) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).to be_able_to(:manage, line_item, subscription.guest_token) + end + + it "is not allowed to manage line items on someone else's subscriptions" do + subscription = create(:subscription) + line_item = create(:subscription_line_item, subscription: subscription) + + ability = Spree::Ability.new(nil) + permission_set = described_class.new(ability) + permission_set.activate! + + expect(ability).not_to be_able_to(:manage, line_item, 'invalid') + end + end +end diff --git a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb index 7079c8a..816f83e 100644 --- a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb +++ b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb @@ -1,95 +1,26 @@ # frozen_string_literal: true RSpec.describe SolidusSubscriptions::PermissionSets::SubscriptionManagement do - context 'when the user is authenticated' do - it 'is allowed to manage their subscriptions' do - user = create(:user) - subscription = create(:subscription, user: user) + it 'is allowed to manage all subscriptions' do + user = create(:user) + subscription = create(:subscription) - ability = Spree::Ability.new(user) - permission_set = described_class.new(ability) - permission_set.activate! + ability = Spree::Ability.new(user) + permission_set = described_class.new(ability) + permission_set.activate! - expect(ability).to be_able_to(:manage, subscription) - end - - it "is allowed to manage someone else's subscriptions" do - user = create(:user) - subscription = create(:subscription) - - ability = Spree::Ability.new(user) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).not_to be_able_to(:manage, subscription) - end - - it 'is allowed to manage line items on their subscriptions' do - user = create(:user) - subscription = create(:subscription, user: user) - line_item = create(:subscription_line_item, subscription: subscription) - - ability = Spree::Ability.new(user) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).to be_able_to(:manage, line_item) - end - - it "is not allowed to manage line items on someone else's subscriptions" do - user = create(:user) - subscription = create(:subscription) - line_item = create(:subscription_line_item, subscription: subscription) - - ability = Spree::Ability.new(user) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).not_to be_able_to(:manage, line_item) - end + expect(ability).to be_able_to(:manage, subscription) end - context 'when the user provides a guest token' do - it 'is allowed to manage their subscriptions' do - subscription = create(:subscription) - - ability = Spree::Ability.new(nil) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).to be_able_to(:manage, subscription, subscription.guest_token) - end - - it "is allowed to manage someone else's subscriptions" do - subscription = create(:subscription) - - ability = Spree::Ability.new(nil) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).not_to be_able_to(:manage, subscription, 'invalid') - end - - it 'is allowed to manage line items on their subscriptions' do - subscription = create(:subscription) - line_item = create(:subscription_line_item, subscription: subscription) - - ability = Spree::Ability.new(nil) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).to be_able_to(:manage, line_item, subscription.guest_token) - end - - it "is not allowed to manage line items on someone else's subscriptions" do - subscription = create(:subscription) - line_item = create(:subscription_line_item, subscription: subscription) + it "is allowed to manage all line items" do + user = create(:user) + subscription = create(:subscription) + line_item = create(:subscription_line_item, subscription: subscription) - ability = Spree::Ability.new(nil) - permission_set = described_class.new(ability) - permission_set.activate! + ability = Spree::Ability.new(user) + permission_set = described_class.new(ability) + permission_set.activate! - expect(ability).not_to be_able_to(:manage, line_item, 'invalid') - end + expect(ability).to be_able_to(:manage, line_item) end end |