From da278491b137e9aed344b186eed48d78245e830d Mon Sep 17 00:00:00 2001
From: benji <benj_cous@hotmail.com>
Date: Mon, 31 Aug 2015 15:10:13 +0200
Subject: [PATCH] Fix authorization for orders using cancancan

---
 app/controllers/orders_controller.rb |  8 +-------
 app/models/ability.rb                |  4 +++-
 test/models/user_test.rb             | 10 ----------
 3 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/app/controllers/orders_controller.rb b/app/controllers/orders_controller.rb
index e312597..642cbc1 100644
--- a/app/controllers/orders_controller.rb
+++ b/app/controllers/orders_controller.rb
@@ -3,20 +3,14 @@ class OrdersController < ApplicationController
   include ApplicationHelper
 
   load_and_authorize_resource :user
-  load_and_authorize_resource :order, through: :user
+  load_and_authorize_resource :order, through: :user, shallow: true
 
   def new
-    @user = User.find(params[:user_id])
-    @order = @user.orders.build
-
     products = (@user.products.for_sale.select("products.*", "sum(order_items.count) as count").group(:product_id).order("count desc") | Product.for_sale)
     @order.g_order_items products
   end
 
   def create
-    @user = User.find(params[:user_id])
-    @order = @user.orders.build order_params
-
     if @order.save
       flash[:success] = "#{@order.to_sentence} ordered. Enjoy it!"
       redirect_to root_path
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 9b9e1d5..1cd5ad1 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -11,7 +11,9 @@ class Ability
     elsif user[:id]
       can :read, :all
       can :manage, User, id: user.id
-      can :manage, Order, user: user
+      can :manage, Order do |order|
+        order.try(:user) == user
+      end
     end
   end
 end
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index 7860d28..a783767 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -32,16 +32,6 @@ class UserTest < ActiveSupport::TestCase
     @user = users(:benji)
   end
 
-  test "debt behaves correctly" do
-    assert_equal @user.debt_cents, 0
-    assert_equal @user.debt, 0
-
-    @user.debt = 1.3
-
-    assert_equal @user.debt, 1.3
-    assert_equal @user.debt_cents, 130
-  end
-
   test "to_param" do
     assert_equal @user.to_param, "#{@user.id}-benji"
   end