diff options
3 files changed, 13 insertions, 35 deletions
diff --git a/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb b/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb index 1d6817a..8e6ff34 100644 --- a/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb +++ b/app/controllers/solidus_subscriptions/api/v1/line_items_controller.rb @@ -8,7 +8,7 @@ module SolidusSubscriptions wrap_parameters :subscription_line_item def update - authorize! :update, @line_item, @order + authorize! :update, @line_item if @line_item.update(line_item_params) render json: @line_item.to_json else @@ -17,7 +17,7 @@ module SolidusSubscriptions end def destroy - authorize! :destroy, @line_item, @order + authorize! :destroy, @line_item return render json: {}, status: :bad_request if @line_item.order.complete? @line_item.destroy! diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb index 8f5edfb..76c1e94 100644 --- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb +++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb @@ -5,12 +5,11 @@ module SolidusSubscriptions class SubscriptionManagement < ::Spree::PermissionSets::Base def activate! can :manage, Subscription do |subscription| - subscription.user == user + subscription.user && subscription.user == user end - can :manage, LineItem do |line_item, order| - (line_item.order && line_item.order == order) || - (line_item.order&.user && line_item.order.user == user) + can :manage, LineItem do |line_item| + line_item.subscription&.user && line_item.subscription.user == user end end end diff --git a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb index 779fc9b..e3c3c66 100644 --- a/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb +++ b/spec/lib/solidus_subscriptions/permission_sets/subscription_management_spec.rb @@ -23,48 +23,27 @@ RSpec.describe SolidusSubscriptions::PermissionSets::SubscriptionManagement do expect(ability).not_to be_able_to(:manage, subscription) end - it 'is allowed to manage line items on their orders' do + it 'is allowed to manage line items on their subscriptions' do user = create(:user) - order = create(:order, user: user) - line_item = create( - :subscription_line_item, - spree_line_item: create(:line_item, order: create(:order, user: user)), - ) - - ability = Spree::Ability.new(user) - permission_set = described_class.new(ability) - permission_set.activate! - - expect(ability).to be_able_to(:manage, line_item, order) - end - - it 'is allowed to manage line items on the given order' do - user = create(:user) - order = create(:order, user: user) - line_item = create( - :subscription_line_item, - spree_line_item: create(:line_item, order: order), - ) + subscription = create(:subscription, user: user) + line_item = create(:subscription_line_item, subscription: subscription) ability = Spree::Ability.new(user) permission_set = described_class.new(ability) permission_set.activate! - expect(ability).to be_able_to(:manage, line_item, order) + expect(ability).to be_able_to(:manage, line_item) end - it "is not allowed to manage line items on someone else's orders" do + it "is not allowed to manage line items on someone else's subscriptions" do user = create(:user) - order = create(:order) - line_item = create( - :subscription_line_item, - spree_line_item: create(:line_item), - ) + subscription = create(:subscription) + line_item = create(:subscription_line_item, subscription: subscription) ability = Spree::Ability.new(user) permission_set = described_class.new(ability) permission_set.activate! - expect(ability).not_to be_able_to(:manage, line_item, order) + expect(ability).not_to be_able_to(:manage, line_item) end end |