Fix authorization for orders using cancancan
This commit is contained in:
parent
b5017bff9a
commit
da278491b1
|
@ -3,20 +3,14 @@ class OrdersController < ApplicationController
|
|||
include ApplicationHelper
|
||||
|
||||
load_and_authorize_resource :user
|
||||
load_and_authorize_resource :order, through: :user
|
||||
load_and_authorize_resource :order, through: :user, shallow: true
|
||||
|
||||
def new
|
||||
@user = User.find(params[:user_id])
|
||||
@order = @user.orders.build
|
||||
|
||||
products = (@user.products.for_sale.select("products.*", "sum(order_items.count) as count").group(:product_id).order("count desc") | Product.for_sale)
|
||||
@order.g_order_items products
|
||||
end
|
||||
|
||||
def create
|
||||
@user = User.find(params[:user_id])
|
||||
@order = @user.orders.build order_params
|
||||
|
||||
if @order.save
|
||||
flash[:success] = "#{@order.to_sentence} ordered. Enjoy it!"
|
||||
redirect_to root_path
|
||||
|
|
|
@ -11,7 +11,9 @@ class Ability
|
|||
elsif user[:id]
|
||||
can :read, :all
|
||||
can :manage, User, id: user.id
|
||||
can :manage, Order, user: user
|
||||
can :manage, Order do |order|
|
||||
order.try(:user) == user
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -32,16 +32,6 @@ class UserTest < ActiveSupport::TestCase
|
|||
@user = users(:benji)
|
||||
end
|
||||
|
||||
test "debt behaves correctly" do
|
||||
assert_equal @user.debt_cents, 0
|
||||
assert_equal @user.debt, 0
|
||||
|
||||
@user.debt = 1.3
|
||||
|
||||
assert_equal @user.debt, 1.3
|
||||
assert_equal @user.debt_cents, 130
|
||||
end
|
||||
|
||||
test "to_param" do
|
||||
assert_equal @user.to_param, "#{@user.id}-benji"
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue