Merge pull request #161 from solidusio-contrib/aldesantis/fix-default-customer-permissions

Fix DefaultCustomer permission set giving guests access to admin

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/solidus_subscriptions/permission_sets/default_customer.rb b/lib/solidus_subscriptions/permission_sets/default_customer.rb
index df9845e..ebe888e 100644
--- a/lib/solidus_subscriptions/permission_sets/default_customer.rb
+++ b/lib/solidus_subscriptions/permission_sets/default_customer.rb
@@ -4,12 +4,12 @@ module SolidusSubscriptions
   module PermissionSets
     class DefaultCustomer < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription, ['user_id = ?', user.id] do |subscription, guest_token|
+        can [:display, :update, :skip, :cancel], Subscription, ['user_id = ?', user.id] do |subscription, guest_token|
           (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
             (subscription.user && subscription.user == user)
         end
 
-        can :manage, LineItem do |line_item, guest_token|
+        can [:display, :update, :destroy], LineItem do |line_item, guest_token|
           (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) ||
             (line_item.subscription&.user && line_item.subscription.user == user)
         end