diff options
author | Alessandro Desantis <desa.alessandro@gmail.com> | 2020-10-14 10:31:15 +0200 |
---|---|---|
committer | Alessandro Desantis <desa.alessandro@gmail.com> | 2020-10-21 11:49:29 +0200 |
commit | 204ac4bbaadac79bc4dfa1ac3c12b3be421d4622 (patch) | |
tree | 17ccc7a0b6eeed26bd4907d7e1f736fb45b4bc1d /lib/solidus_subscriptions | |
parent | 8ff161a4b02d395ec81f9f6331e0e11f8e81363c (diff) |
Fix DefaultCustomer permission set giving guests access to admin
The DefaultCustomer permission set would allow guests to see the
subscriptions list (although they wouldn't be able to see any subscriptions).
Diffstat (limited to 'lib/solidus_subscriptions')
-rw-r--r-- | lib/solidus_subscriptions/permission_sets/default_customer.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/solidus_subscriptions/permission_sets/default_customer.rb b/lib/solidus_subscriptions/permission_sets/default_customer.rb index df9845e..ebe888e 100644 --- a/lib/solidus_subscriptions/permission_sets/default_customer.rb +++ b/lib/solidus_subscriptions/permission_sets/default_customer.rb @@ -4,12 +4,12 @@ module SolidusSubscriptions module PermissionSets class DefaultCustomer < ::Spree::PermissionSets::Base def activate! - can :manage, Subscription, ['user_id = ?', user.id] do |subscription, guest_token| + can [:display, :update, :skip, :cancel], Subscription, ['user_id = ?', user.id] do |subscription, guest_token| (subscription.guest_token.present? && subscription.guest_token == guest_token) || (subscription.user && subscription.user == user) end - can :manage, LineItem do |line_item, guest_token| + can [:display, :update, :destroy], LineItem do |line_item, guest_token| (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) || (line_item.subscription&.user && line_item.subscription.user == user) end |