midgard/tap
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Fix authorization for orders using cancancan

Browse source
This commit is contained in:
benji 2015-08-31 15:10:13 +02:00
parent b5017bff9a
commit da278491b1
3 changed files with 4 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/orders_controller.rb
View file

@ -3,20 +3,14 @@ class OrdersController < ApplicationController
include ApplicationHelper
load_and_authorize_resource :user
load_and_authorize_resource :order, through: :user
load_and_authorize_resource :order, through: :user, shallow: true
def new
@user = User.find(params[:user_id])
@order = @user.orders.build
products = (@user.products.for_sale.select("products.*", "sum(order_items.count) as count").group(:product_id).order("count desc") | Product.for_sale)
@order.g_order_items products
end
def create
@user = User.find(params[:user_id])
@order = @user.orders.build order_params
if @order.save
flash[:success] = "#{@order.to_sentence} ordered. Enjoy it!"
redirect_to root_path

4
app/models/ability.rb
View file

@ -11,7 +11,9 @@ class Ability
elsif user[:id]
can :read, :all
can :manage, User, id: user.id
can :manage, Order, user: user
can :manage, Order do |order|
order.try(:user) == user
end
end
end
end

10
test/models/user_test.rb
View file

@ -32,16 +32,6 @@ class UserTest < ActiveSupport::TestCase
@user = users(:benji)
end
test "debt behaves correctly" do
assert_equal @user.debt_cents, 0
assert_equal @user.debt, 0
@user.debt = 1.3
assert_equal @user.debt, 1.3
assert_equal @user.debt_cents, 130
end
test "to_param" do
assert_equal @user.to_param, "#{@user.id}-benji"
end