Use guest token to authorize API controller actions

author: Alessandro Desantis <desa.alessandro@gmail.com> 2020-10-07 16:55:58 +0200
committer: Alessandro Desantis <desa.alessandro@gmail.com> 2020-10-08 13:34:54 +0200
commit: 0b2c5c9a3826aff11025335188cca5e2c29c51ce (patch)
tree: a134b4490501d84b219e561f0514c312597b1aa3 /lib/solidus_subscriptions
parent: c64e18ea9ebadda5d6be746faf999ea86fc5176a (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
index 76c1e94..c669368 100644
--- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb
+++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
@@ -4,12 +4,14 @@ module SolidusSubscriptions
   module PermissionSets
     class SubscriptionManagement < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription do |subscription|
-          subscription.user && subscription.user == user
+        can :manage, Subscription do |subscription, guest_token|
+          (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
+            (subscription.user && subscription.user == user)
         end
 
-        can :manage, LineItem do |line_item|
-          line_item.subscription&.user && line_item.subscription.user == user
+        can :manage, LineItem do |line_item, guest_token|
+          (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) ||
+            (line_item.subscription&.user && line_item.subscription.user == user)
         end
       end
     end
author	Alessandro Desantis <desa.alessandro@gmail.com>	2020-10-07 16:55:58 +0200
committer	Alessandro Desantis <desa.alessandro@gmail.com>	2020-10-08 13:34:54 +0200
commit	0b2c5c9a3826aff11025335188cca5e2c29c51ce (patch)
tree	a134b4490501d84b219e561f0514c312597b1aa3 /lib/solidus_subscriptions
parent	c64e18ea9ebadda5d6be746faf999ea86fc5176a (diff)