From 0b2c5c9a3826aff11025335188cca5e2c29c51ce Mon Sep 17 00:00:00 2001
From: Alessandro Desantis <desa.alessandro@gmail.com>
Date: Wed, 7 Oct 2020 16:55:58 +0200
Subject: Use guest token to authorize API controller actions

---
 .../permission_sets/subscription_management.rb                 | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/solidus_subscriptions/permission_sets/subscription_management.rb b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
index 76c1e94..c669368 100644
--- a/lib/solidus_subscriptions/permission_sets/subscription_management.rb
+++ b/lib/solidus_subscriptions/permission_sets/subscription_management.rb
@@ -4,12 +4,14 @@ module SolidusSubscriptions
   module PermissionSets
     class SubscriptionManagement < ::Spree::PermissionSets::Base
       def activate!
-        can :manage, Subscription do |subscription|
-          subscription.user && subscription.user == user
+        can :manage, Subscription do |subscription, guest_token|
+          (subscription.guest_token.present? && subscription.guest_token == guest_token) ||
+            (subscription.user && subscription.user == user)
         end
 
-        can :manage, LineItem do |line_item|
-          line_item.subscription&.user && line_item.subscription.user == user
+        can :manage, LineItem do |line_item, guest_token|
+          (line_item.subscription&.guest_token.present? && line_item.subscription.guest_token == guest_token) ||
+            (line_item.subscription&.user && line_item.subscription.user == user)
         end
       end
     end
-- 
cgit v1.2.3