Fix authorization for orders using cancancan
This commit is contained in:
parent
b5017bff9a
commit
da278491b1
|
@ -3,20 +3,14 @@ class OrdersController < ApplicationController
|
||||||
include ApplicationHelper
|
include ApplicationHelper
|
||||||
|
|
||||||
load_and_authorize_resource :user
|
load_and_authorize_resource :user
|
||||||
load_and_authorize_resource :order, through: :user
|
load_and_authorize_resource :order, through: :user, shallow: true
|
||||||
|
|
||||||
def new
|
def new
|
||||||
@user = User.find(params[:user_id])
|
|
||||||
@order = @user.orders.build
|
|
||||||
|
|
||||||
products = (@user.products.for_sale.select("products.*", "sum(order_items.count) as count").group(:product_id).order("count desc") | Product.for_sale)
|
products = (@user.products.for_sale.select("products.*", "sum(order_items.count) as count").group(:product_id).order("count desc") | Product.for_sale)
|
||||||
@order.g_order_items products
|
@order.g_order_items products
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
@user = User.find(params[:user_id])
|
|
||||||
@order = @user.orders.build order_params
|
|
||||||
|
|
||||||
if @order.save
|
if @order.save
|
||||||
flash[:success] = "#{@order.to_sentence} ordered. Enjoy it!"
|
flash[:success] = "#{@order.to_sentence} ordered. Enjoy it!"
|
||||||
redirect_to root_path
|
redirect_to root_path
|
||||||
|
|
|
@ -11,7 +11,9 @@ class Ability
|
||||||
elsif user[:id]
|
elsif user[:id]
|
||||||
can :read, :all
|
can :read, :all
|
||||||
can :manage, User, id: user.id
|
can :manage, User, id: user.id
|
||||||
can :manage, Order, user: user
|
can :manage, Order do |order|
|
||||||
|
order.try(:user) == user
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -32,16 +32,6 @@ class UserTest < ActiveSupport::TestCase
|
||||||
@user = users(:benji)
|
@user = users(:benji)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "debt behaves correctly" do
|
|
||||||
assert_equal @user.debt_cents, 0
|
|
||||||
assert_equal @user.debt, 0
|
|
||||||
|
|
||||||
@user.debt = 1.3
|
|
||||||
|
|
||||||
assert_equal @user.debt, 1.3
|
|
||||||
assert_equal @user.debt_cents, 130
|
|
||||||
end
|
|
||||||
|
|
||||||
test "to_param" do
|
test "to_param" do
|
||||||
assert_equal @user.to_param, "#{@user.id}-benji"
|
assert_equal @user.to_param, "#{@user.id}-benji"
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue