summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb4
-rw-r--r--lib/solidus_subscriptions/permission_sets/subscription_management.rb7
-rw-r--r--spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb37
3 files changed, 13 insertions, 35 deletions
diff --git a/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb b/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb
index 1d6817a..8e6ff34 100644
--- a/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb
+++ b/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb
@@ -8,7 +8,7 @@ module SolidusSubscriptions
wrap_parameters :subscription_line_item
def update
- authorize! :update, @line_item, @order
+ authorize! :update, @line_item
if @line_item.update(line_item_params)
render json: @line_item.to_json
else
@@ -17,7 +17,7 @@ module SolidusSubscriptions
end
def destroy
- authorize! :destroy, @line_item, @order
+ authorize! :destroy, @line_item
return render json: {}, status: :bad_request if @line_item.order.complete?
@line_item.destroy!
diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
index 8f5edfb..76c1e94 100644
--- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb
+++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
@@ -5,12 +5,11 @@ module SolidusSubscriptions
class SubscriptionManagement < ::Spree::PermissionSets::Base
def activate!
can :manage, Subscription do |subscription|
- subscription.user == user
+ subscription.user && subscription.user == user
end
- can :manage, LineItem do |line_item, order|
- (line_item.order && line_item.order == order) ||
- (line_item.order&.user && line_item.order.user == user)
+ can :manage, LineItem do |line_item|
+ line_item.subscription&.user && line_item.subscription.user == user
end
end
end
diff --git a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb
index 779fc9b..e3c3c66 100644
--- a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb
+++ b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb
@@ -23,48 +23,27 @@ RSpec.describe SolidusSubscriptions::PermissionSets::SubscriptionManagement do
expect(ability).not_to be_able_to(:manage, subscription)
end
- it 'is allowed to manage line items on their orders' do
+ it 'is allowed to manage line items on their subscriptions' do
user = create(:user)
- order = create(:order, user: user)
- line_item = create(
- :subscription_line_item,
- spree_line_item: create(:line_item, order: create(:order, user: user)),
- )
-
- ability = Spree::Ability.new(user)
- permission_set = described_class.new(ability)
- permission_set.activate!
-
- expect(ability).to be_able_to(:manage, line_item, order)
- end
-
- it 'is allowed to manage line items on the given order' do
- user = create(:user)
- order = create(:order, user: user)
- line_item = create(
- :subscription_line_item,
- spree_line_item: create(:line_item, order: order),
- )
+ subscription = create(:subscription, user: user)
+ line_item = create(:subscription_line_item, subscription: subscription)
ability = Spree::Ability.new(user)
permission_set = described_class.new(ability)
permission_set.activate!
- expect(ability).to be_able_to(:manage, line_item, order)
+ expect(ability).to be_able_to(:manage, line_item)
end
- it "is not allowed to manage line items on someone else's orders" do
+ it "is not allowed to manage line items on someone else's subscriptions" do
user = create(:user)
- order = create(:order)
- line_item = create(
- :subscription_line_item,
- spree_line_item: create(:line_item),
- )
+ subscription = create(:subscription)
+ line_item = create(:subscription_line_item, subscription: subscription)
ability = Spree::Ability.new(user)
permission_set = described_class.new(ability)
permission_set.activate!
- expect(ability).not_to be_able_to(:manage, line_item, order)
+ expect(ability).not_to be_able_to(:manage, line_item)
end
end