Add scope to subscription permissions

With an AR scope, `#accessible_by` can be properly used.

2 files changed, 2 insertions, 2 deletions

diff --git a/app/controllers/spree/admin/subscriptions_controller.rb b/app/controllers/spree/admin/subscriptions_controller.rb
index 6c92ace..7db4c77 100644
--- a/app/controllers/spree/admin/subscriptions_controller.rb
+++ b/app/controllers/spree/admin/subscriptions_controller.rb
@@ -6,7 +6,7 @@ module Spree
       skip_before_action :load_resource, only: :index
 
       def index
-        @search = SolidusSubscriptions::Subscription.ransack(params[:q])
+        @search = SolidusSubscriptions::Subscription.accessible_by(current_ability).ransack(params[:q])
         @subscriptions = @search.result(distinct: true).
                          includes(:line_items, :user).
                          page(params[:page]).
diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
index c669368..9077ab9 100644
--- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb
+++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
@@ -4,7 +4,7 @@ module SolidusSubscriptions
   module PermissionSets
     class SubscriptionManagement < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription do |subscription, guest_token|
+        can :manage, Subscription, Subscription.where(user: user) do |subscription, guest_token|
           (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
             (subscription.user && subscription.user == user)
         end