diff options
| author | Alex Blackie <alex@alexblackie.com> | 2016-09-23 11:30:36 -0700 |
|---|---|---|
| committer | Alex Blackie <alex@alexblackie.com> | 2016-09-23 11:50:53 -0700 |
| commit | e2d602ebd0b0789399a71ec03e94b05bc9e7d9eb (patch) | |
| tree | 3f6a873b23dc8d8db5f3e02917c5a690672d0324 | |
| parent | 5415f1e0381ed3be99acadb79fcead5be38d175d (diff) | |
Add CanCan abilities class
This adds a CanCan class for modelling our permissions. This then
modifies the LineItemsController to use the new CanCan abilities instead
of manually checking.
5 files changed, 14 insertions, 3 deletions
diff --git a/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb b/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb index 5947097..44650b9 100644 --- a/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb +++ b/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb @@ -2,8 +2,7 @@ class SolidusSubscriptions::Api::V1::LineItemsController < Spree::Api::BaseContr before_filter :load_line_item, only: :update def update - return render json: {}, status: 404 unless @line_item.order.user == current_api_user - + authorize! :manage, @line_item if @line_item.update(line_item_params) render json: @line_item.to_json else diff --git a/lib/solidus_subscriptions.rb b/lib/solidus_subscriptions.rb index bdee6ea..ad76ff5 100644 --- a/lib/solidus_subscriptions.rb +++ b/lib/solidus_subscriptions.rb @@ -1,4 +1,5 @@ require 'solidus_core' +require "solidus_subscriptions/ability" require 'solidus_subscriptions/engine' require 'deface' require 'state_machines' diff --git a/lib/solidus_subscriptions/ability.rb b/lib/solidus_subscriptions/ability.rb new file mode 100644 index 0000000..0afefde --- /dev/null +++ b/lib/solidus_subscriptions/ability.rb @@ -0,0 +1,9 @@ +module SolidusSubscriptions + class Ability + include CanCan::Ability + + def initialize(user) + can(:manage, SolidusSubscriptions::LineItem) { |li| li.order.user == user } + end + end +end diff --git a/lib/solidus_subscriptions/engine.rb b/lib/solidus_subscriptions/engine.rb index 5dea444..6b42716 100644 --- a/lib/solidus_subscriptions/engine.rb +++ b/lib/solidus_subscriptions/engine.rb @@ -18,6 +18,8 @@ module SolidusSubscriptions Dir.glob(File.join(File.dirname(__FILE__), '../../app/overrides/**/*.rb')) do |c| Rails.configuration.cache_classes ? require(c) : load(c) end + + Spree::Ability.register_ability(SolidusSubscriptions::Ability) end config.to_prepare(&method(:activate).to_proc) diff --git a/spec/controllers/solidus_subscriptions/api/v1/line_items_controller_spec.rb b/spec/controllers/solidus_subscriptions/api/v1/line_items_controller_spec.rb index 89f09d7..1fdcb36 100644 --- a/spec/controllers/solidus_subscriptions/api/v1/line_items_controller_spec.rb +++ b/spec/controllers/solidus_subscriptions/api/v1/line_items_controller_spec.rb @@ -44,7 +44,7 @@ RSpec.describe SolidusSubscriptions::Api::V1::LineItemsController, type: :contro context "when the order belongs to someone else" do let(:order) { create :order, user: create(:user) } - it { is_expected.to be_not_found } + it { is_expected.to be_unauthorized } end end end |