From 204ac4bbaadac79bc4dfa1ac3c12b3be421d4622 Mon Sep 17 00:00:00 2001
From: Alessandro Desantis <desa.alessandro@gmail.com>
Date: Wed, 14 Oct 2020 10:31:15 +0200
Subject: Fix DefaultCustomer permission set giving guests access to admin

The DefaultCustomer permission set would allow guests to see the
subscriptions list (although they wouldn't be able to see any subscriptions).
---
 lib/solidus_subscriptions/permission_sets/default_customer.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/solidus_subscriptions/permission_sets')

diff --git a/lib/solidus_subscriptions/permission_sets/default_customer.rb b/lib/solidus_subscriptions/permission_sets/default_customer.rb
index df9845e..ebe888e 100644
--- a/lib/solidus_subscriptions/permission_sets/default_customer.rb
+++ b/lib/solidus_subscriptions/permission_sets/default_customer.rb
@@ -4,12 +4,12 @@ module SolidusSubscriptions
   module PermissionSets
     class DefaultCustomer < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription, ['user_id = ?', user.id] do |subscription, guest_token|
+        can [:display, :update, :skip, :cancel], Subscription, ['user_id = ?', user.id] do |subscription, guest_token|
           (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
             (subscription.user && subscription.user == user)
         end
 
-        can :manage, LineItem do |line_item, guest_token|
+        can [:display, :update, :destroy], LineItem do |line_item, guest_token|
           (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) ||
             (line_item.subscription&.user && line_item.subscription.user == user)
         end
-- 
cgit v1.2.3