Use guest token to authorize API controller actions

1 files changed, 6 insertions, 4 deletions

diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
index 76c1e94..c669368 100644
--- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb
+++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
@@ -4,12 +4,14 @@ module SolidusSubscriptions
   module PermissionSets
     class SubscriptionManagement < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription do |subscription|
-          subscription.user && subscription.user == user
+        can :manage, Subscription do |subscription, guest_token|
+          (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
+            (subscription.user && subscription.user == user)
         end
 
-        can :manage, LineItem do |line_item|
-          line_item.subscription&.user && line_item.subscription.user == user
+        can :manage, LineItem do |line_item, guest_token|
+          (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) ||
+            (line_item.subscription&.user && line_item.subscription.user == user)
         end
       end
     end