From 250a9217496b35f79ba58e6654c1f3475d0eb094 Mon Sep 17 00:00:00 2001 From: Fab Date: Sun, 19 Jan 2025 19:38:13 +0100 Subject: [PATCH 1/5] Restore Puma version pin The issue with capybara that originally caused the change to the main branch of the puma repo has been fixed and solidus should return on the Puma release cycle. --- Gemfile | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/Gemfile b/Gemfile index dd357ea99bf..35b93fdcb00 100644 --- a/Gemfile +++ b/Gemfile @@ -31,12 +31,7 @@ gem 'simplecov-cobertura', require: false gem 'rack', '< 3', require: false gem 'rake', require: false, groups: [:lint, :release] gem 'rails-controller-testing', require: false - -# Temporarily use the master branch of puma until the next release -# The current release, 6.4.3, has bug that causes Capybara to crash. -# See https://github.com/puma/puma/pull/3532 -gem 'puma', github: 'puma/puma', branch: 'master', require: false - +gem 'puma', '< 7', require: false gem 'i18n-tasks', '~> 0.9', require: false gem 'rspec_junit_formatter', require: false gem 'yard', require: false From ad924fd72ed09f69f49400277f4df45ace81b20f Mon Sep 17 00:00:00 2001 From: Fab Date: Sun, 19 Jan 2025 22:12:12 +0100 Subject: [PATCH 2/5] Fix "temporary" pinning of sqlite as ActiveStorage now supports more recent versions Not required anymore. https://github.com/solidusio/solidus/pull/5727 --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 35b93fdcb00..3b7c66527c3 100644 --- a/Gemfile +++ b/Gemfile @@ -19,7 +19,7 @@ dbs = ENV['DB_ALL'] ? 'all' : ENV.fetch('DB', 'sqlite') gem 'mysql2', '~> 0.5.0', require: false if dbs.match?(/all|mysql/) gem 'pg', '~> 1.0', require: false if dbs.match?(/all|postgres/) gem 'fast_sqlite', require: false if dbs.match?(/all|sqlite/) -gem 'sqlite3', '~> 1.4', require: false if dbs.match?(/all|sqlite/) +gem 'sqlite3', '>= 2.1', require: false if dbs.match?(/all|sqlite/) gem 'database_cleaner', '~> 2.0', require: false From 8d921d9458c608250304497e6fd955ef7dd696d2 Mon Sep 17 00:00:00 2001 From: Martin Meyerhoff Date: Thu, 23 Jan 2025 11:23:25 +0100 Subject: [PATCH 3/5] Move permission sets back to app/ These were already in app, but moved in https://github.com/solidusio/solidus/pull/403. At the time of that PR, code reloading was still handled by Rails, so let's see if we can now move them back as Zeitwerk now handles code reloading. --- core/app/models/spree/permission_sets/base.rb | 44 ++++++++++ .../permission_sets/configuration_display.rb | 53 ++++++++++++ .../configuration_management.rb | 52 +++++++++++ .../permission_sets/dashboard_display.rb | 28 ++++++ .../spree/permission_sets/default_customer.rb | 83 ++++++++++++++++++ .../spree/permission_sets/order_display.rb | 50 +++++++++++ .../spree/permission_sets/order_management.rb | 50 +++++++++++ .../spree/permission_sets/product_display.rb | 43 ++++++++++ .../permission_sets/product_management.rb | 47 ++++++++++ .../restricted_stock_display.rb | 33 +++++++ .../restricted_stock_management.rb | 33 +++++++ .../spree/permission_sets/stock_display.rb | 26 ++++++ .../spree/permission_sets/stock_management.rb | 26 ++++++ .../spree/permission_sets/super_user.rb | 26 ++++++ .../spree/permission_sets/user_display.rb | 27 ++++++ .../spree/permission_sets/user_management.rb | 44 ++++++++++ core/lib/spree/core.rb | 1 - core/lib/spree/permission_sets.rb | 21 ++--- core/lib/spree/permission_sets/base.rb | 47 ++-------- .../permission_sets/configuration_display.rb | 56 ++---------- .../configuration_management.rb | 55 ++---------- .../permission_sets/dashboard_display.rb | 31 ++----- .../spree/permission_sets/default_customer.rb | 86 ++----------------- .../spree/permission_sets/order_display.rb | 53 ++---------- .../spree/permission_sets/order_management.rb | 53 ++---------- .../spree/permission_sets/product_display.rb | 46 ++-------- .../permission_sets/product_management.rb | 50 ++--------- .../restricted_stock_display.rb | 36 ++------ .../restricted_stock_management.rb | 36 ++------ .../spree/permission_sets/stock_display.rb | 29 ++----- .../spree/permission_sets/stock_management.rb | 29 ++----- core/lib/spree/permission_sets/super_user.rb | 29 ++----- .../lib/spree/permission_sets/user_display.rb | 30 ++----- .../spree/permission_sets/user_management.rb | 47 ++-------- 34 files changed, 750 insertions(+), 650 deletions(-) create mode 100644 core/app/models/spree/permission_sets/base.rb create mode 100644 core/app/models/spree/permission_sets/configuration_display.rb create mode 100644 core/app/models/spree/permission_sets/configuration_management.rb create mode 100644 core/app/models/spree/permission_sets/dashboard_display.rb create mode 100644 core/app/models/spree/permission_sets/default_customer.rb create mode 100644 core/app/models/spree/permission_sets/order_display.rb create mode 100644 core/app/models/spree/permission_sets/order_management.rb create mode 100644 core/app/models/spree/permission_sets/product_display.rb create mode 100644 core/app/models/spree/permission_sets/product_management.rb create mode 100644 core/app/models/spree/permission_sets/restricted_stock_display.rb create mode 100644 core/app/models/spree/permission_sets/restricted_stock_management.rb create mode 100644 core/app/models/spree/permission_sets/stock_display.rb create mode 100644 core/app/models/spree/permission_sets/stock_management.rb create mode 100644 core/app/models/spree/permission_sets/super_user.rb create mode 100644 core/app/models/spree/permission_sets/user_display.rb create mode 100644 core/app/models/spree/permission_sets/user_management.rb diff --git a/core/app/models/spree/permission_sets/base.rb b/core/app/models/spree/permission_sets/base.rb new file mode 100644 index 00000000000..586c21442e4 --- /dev/null +++ b/core/app/models/spree/permission_sets/base.rb @@ -0,0 +1,44 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # This is the base class used for crafting permission sets. + # + # This is used by {Spree::RoleConfiguration} when adding custom behavior to {Spree::Ability}. + # See one of the subclasses for example structure such as {Spree::PermissionSets::UserDisplay} + # + # @see Spree::RoleConfiguration + # @see Spree::PermissionSets + class Base + # @param ability [CanCan::Ability] + # The ability that will be extended with the current permission set. + # The ability passed in must respond to #user + def initialize(ability) + @ability = ability + end + + # Activate permissions on the ability. Put your can and cannot statements here. + # Must be overridden by subclasses + def activate! + raise NotImplementedError.new + end + + # Provide the permission set privilege in the form of a :symbol. + # Must be overridden by subclasses. + def self.privilege + raise NotImplementedError, "Subclass #{name} must define a privilege using `self.privilege :symbol`" + end + + # Provide the permission set category in the form of a :symbol. + # Must be overridden by subclasses. + def self.category + raise NotImplementedError, "Subclass #{name} must define a category using `self.category :symbol`" + end + + private + + attr_reader :ability + delegate :can, :cannot, :user, to: :ability + end + end +end diff --git a/core/app/models/spree/permission_sets/configuration_display.rb b/core/app/models/spree/permission_sets/configuration_display.rb new file mode 100644 index 00000000000..a6b2e46cabc --- /dev/null +++ b/core/app/models/spree/permission_sets/configuration_display.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for e-commerce settings. + # + # Roles with this permission will be able to view information, also from the admin + # panel, about: + # + # - Tax categories + # - Tax rates + # - Zones + # - Countries + # - States + # - Payment methods + # - Taxonomies + # - Shipping methods + # - Shipping categories + # - Stock locations + # - Stock movements + # - Refund reasons + # - Reimbursement types + # - Return reasons + class ConfigurationDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :configuration + end + end + + def activate! + can [:read, :admin], Spree::TaxCategory + can [:read, :admin], Spree::TaxRate + can [:read, :admin], Spree::Zone + can [:read, :admin], Spree::Country + can [:read, :admin], Spree::State + can [:read, :admin], Spree::PaymentMethod + can [:read, :admin], Spree::Taxonomy + can [:read, :admin], Spree::ShippingMethod + can [:read, :admin], Spree::ShippingCategory + can [:read, :admin], Spree::StockLocation + can [:read, :admin], Spree::StockMovement + can [:read, :admin], Spree::RefundReason + can [:read, :admin], Spree::ReimbursementType + can [:read, :admin], Spree::ReturnReason + end + end + end +end diff --git a/core/app/models/spree/permission_sets/configuration_management.rb b/core/app/models/spree/permission_sets/configuration_management.rb new file mode 100644 index 00000000000..56d0946d7e4 --- /dev/null +++ b/core/app/models/spree/permission_sets/configuration_management.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read and write permissions for e-commerce settings. + # + # Roles with this permission set will have full control over: + # + # - Tax categories + # - Tax rates + # - Zones + # - Countries + # - States + # - Payment methods + # - Taxonomies + # - Shipping methods + # - Shipping categories + # - Stock locations + # - Stock movements + # - Refund reasons + # - Reimbursement types + # - Return reasons + class ConfigurationManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :configuration + end + end + + def activate! + can :manage, Spree::TaxCategory + can :manage, Spree::TaxRate + can :manage, Spree::Zone + can :manage, Spree::Country + can :manage, Spree::State + can :manage, Spree::PaymentMethod + can :manage, Spree::Taxonomy + can :manage, Spree::ShippingMethod + can :manage, Spree::ShippingCategory + can :manage, Spree::StockLocation + can :manage, Spree::StockMovement + can :manage, Spree::RefundReason + can :manage, Spree::ReimbursementType + can :manage, Spree::ReturnReason + end + end + end +end diff --git a/core/app/models/spree/permission_sets/dashboard_display.rb b/core/app/models/spree/permission_sets/dashboard_display.rb new file mode 100644 index 00000000000..09e43a70b31 --- /dev/null +++ b/core/app/models/spree/permission_sets/dashboard_display.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Permissions for viewing the admin dashboard. + # + # Roles with this permission set will be able to view the admin dashboard, + # which may or not contain sensitive information depending on + # customizations. + class DashboardDisplay < PermissionSets::Base + class << self + def privilege + :other + end + + def category + :dashboard_display + end + end + + def activate! + Spree.deprecator.warn "The #{self.class.name} module is deprecated. " \ + "If you still use dashboards, please copy all controllers and views from #{self.class.name} to your application." + can [:admin, :home], :dashboards + end + end + end +end diff --git a/core/app/models/spree/permission_sets/default_customer.rb b/core/app/models/spree/permission_sets/default_customer.rb new file mode 100644 index 00000000000..e4d82c216cd --- /dev/null +++ b/core/app/models/spree/permission_sets/default_customer.rb @@ -0,0 +1,83 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Permissions for e-commerce customers. + # + # This permission set is always added to the `:default` role, which in turn + # is the default role for all users without any explicit roles. + # + # Permissions include reading and updating orders when the ability's user + # has been assigned as the order's user, unless the order is already + # completed. Same is true for guest checkout orders. + # + # It grants read-only permissions for the following resources typically used + # during a checkout process: + # + # - Zones + # - Countries + # - States + # - Taxons + # - Taxonomies + # - Products + # - Properties + # - Product properties + # - Variants + # - Option types + # - Option values + # - Stock items + # - Stock locations + # + # Abilities with this role can also create refund authorizations for orders + # with the same user, as well as reading and updating the user record and + # their associated cards. + class DefaultCustomer < PermissionSets::Base + class << self + def privilege + :other + end + + def category + :default_customer + end + end + + def activate! + can :read, Country + can :read, OptionType + can :read, OptionValue + can :create, Order do |order, token| + # same user, or both nil + order.user == user || + # guest checkout order + order.email.present? || + # via API, just like with show and update + (order.guest_token.present? && token == order.guest_token) + end + can [:show, :update], Order, Order.where(user:) do |order, token| + order.user == user || (order.guest_token.present? && token == order.guest_token) + end + cannot :update, Order do |order| + order.completed? + end + can :create, ReturnAuthorization do |return_authorization| + return_authorization.order.user == user + end + can [:read, :update], CreditCard, user_id: user.id + can :read, Product + can :read, ProductProperty + can :read, Property + can :create, Spree.user_class + can [:show, :update, :update_email], Spree.user_class, id: user.id + can :read, State + can :read, StockItem, stock_location: { active: true } + can :read, StockLocation, active: true + can :read, Taxon + can :read, Taxonomy + can [:save_in_address_book, :remove_from_address_book], Spree.user_class, id: user.id + can [:read, :view_out_of_stock], Variant + can :read, Zone + end + end + end +end diff --git a/core/app/models/spree/permission_sets/order_display.rb b/core/app/models/spree/permission_sets/order_display.rb new file mode 100644 index 00000000000..b72e939df0f --- /dev/null +++ b/core/app/models/spree/permission_sets/order_display.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read permissions for orders. + # + # This permission set allows users to view all related information about + # orders, also from the admin panel, including: + # + # - Orders + # - Payments + # - Shipments + # - Adjustments + # - Line items + # - Return authorizations + # - Customer returns + # - Order cancellations + # - Reimbursements + # - Return items + # - Refunds + # + # However, it does not allow any modifications to be made to any of these + # resources. + class OrderDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :order + end + end + + def activate! + can [:read, :admin, :edit, :cart], Spree::Order + can [:read, :admin], Spree::Payment + can [:read, :admin], Spree::Shipment + can [:read, :admin], Spree::Adjustment + can [:read, :admin], Spree::LineItem + can [:read, :admin], Spree::ReturnAuthorization + can [:read, :admin], Spree::CustomerReturn + can [:read, :admin], Spree::OrderCancellations + can [:read, :admin], Spree::Reimbursement + can [:read, :admin], Spree::ReturnItem + can [:read, :admin], Spree::Refund + end + end + end +end diff --git a/core/app/models/spree/permission_sets/order_management.rb b/core/app/models/spree/permission_sets/order_management.rb new file mode 100644 index 00000000000..9b29cf7743d --- /dev/null +++ b/core/app/models/spree/permission_sets/order_management.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for order management. + # + # This permission set grants full control over all order and related resources, + # including: + # + # - Orders + # - Payments + # - Shipments + # - Adjustments + # - Line items + # - Return authorizations + # - Customer returns + # - Order cancellations + # - Reimbursements + # - Return items + # - Refunds + # + # It also allows reading reimbursement types, but not modifying them. + class OrderManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :order + end + end + + def activate! + can :read, Spree::ReimbursementType + can :manage, Spree::Order + can :manage, Spree::Payment + can :manage, Spree::Shipment + can :manage, Spree::Adjustment + can :manage, Spree::LineItem + can :manage, Spree::ReturnAuthorization + can :manage, Spree::CustomerReturn + can :manage, Spree::OrderCancellations + can :manage, Spree::Reimbursement + can :manage, Spree::ReturnItem + can :manage, Spree::Refund + end + end + end +end diff --git a/core/app/models/spree/permission_sets/product_display.rb b/core/app/models/spree/permission_sets/product_display.rb new file mode 100644 index 00000000000..d6d281bca60 --- /dev/null +++ b/core/app/models/spree/permission_sets/product_display.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for products. + # + # This permission set allows users to view all related information about + # products, also from the admin panel, including: + # + # - Products + # - Images + # - Variants + # - Option values + # - Product properties + # - Option types + # - Properties + # - Taxonomies + # - Taxons + class ProductDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :product + end + end + + def activate! + can [:read, :admin, :edit], Spree::Product + can [:read, :admin], Spree::Image + can [:read, :admin], Spree::Variant + can [:read, :admin], Spree::OptionValue + can [:read, :admin], Spree::ProductProperty + can [:read, :admin], Spree::OptionType + can [:read, :admin], Spree::Property + can [:read, :admin], Spree::Taxonomy + can [:read, :admin], Spree::Taxon + end + end + end +end diff --git a/core/app/models/spree/permission_sets/product_management.rb b/core/app/models/spree/permission_sets/product_management.rb new file mode 100644 index 00000000000..c919eef3811 --- /dev/null +++ b/core/app/models/spree/permission_sets/product_management.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for product management. + # + # This permission set grants full control over all product and related resources, + # including: + # + # - Products + # - Images + # - Variants + # - Option values + # - Product properties + # - Option types + # - Properties + # - Taxonomies + # - Taxons + # - Classifications + # - Prices + class ProductManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :product + end + end + + def activate! + can :manage, Spree::Classification + can :manage, Spree::Image + can :manage, Spree::OptionType + can :manage, Spree::OptionValue + can :manage, Spree::Price + can :manage, Spree::Product + can :manage, Spree::ProductProperty + can :manage, Spree::Property + can :manage, Spree::Taxon + can :manage, Spree::Taxonomy + can :manage, Spree::Variant + end + end + end +end diff --git a/core/app/models/spree/permission_sets/restricted_stock_display.rb b/core/app/models/spree/permission_sets/restricted_stock_display.rb new file mode 100644 index 00000000000..9bb2137f12c --- /dev/null +++ b/core/app/models/spree/permission_sets/restricted_stock_display.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read permissions for stock limited to allowed locations. + # + # This permission set allows users to view information about stock items and + # locations, both of them limited to locations they have access to. + # Permissions are also granted for the admin panel for items. + class RestrictedStockDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :restricted_stock + end + end + + def activate! + can [:read, :admin], Spree::StockItem, stock_location_id: location_ids + can :read, Spree::StockLocation, id: location_ids + end + + private + + def location_ids + @ids ||= user.stock_locations.pluck(:id) + end + end + end +end diff --git a/core/app/models/spree/permission_sets/restricted_stock_management.rb b/core/app/models/spree/permission_sets/restricted_stock_management.rb new file mode 100644 index 00000000000..358f5bf9ab4 --- /dev/null +++ b/core/app/models/spree/permission_sets/restricted_stock_management.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for stock management limited to allowed locations. + # + # This permission set grants full control over all stock items a user has + # access to their locations. Those locations are also readable by the + # corresponding ability. + class RestrictedStockManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :restricted_stock + end + end + + def activate! + can :manage, Spree::StockItem, stock_location_id: location_ids + can :read, Spree::StockLocation, id: location_ids + end + + private + + def location_ids + @ids ||= user.stock_locations.pluck(:id) + end + end + end +end diff --git a/core/app/models/spree/permission_sets/stock_display.rb b/core/app/models/spree/permission_sets/stock_display.rb new file mode 100644 index 00000000000..a7b1ae0a104 --- /dev/null +++ b/core/app/models/spree/permission_sets/stock_display.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for stock. + # + # This permission set allows users to view information about stock items + # (also from the admin panel) and stock locations. + class StockDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :stock + end + end + + def activate! + can [:read, :admin], Spree::StockItem + can :read, Spree::StockLocation + end + end + end +end diff --git a/core/app/models/spree/permission_sets/stock_management.rb b/core/app/models/spree/permission_sets/stock_management.rb new file mode 100644 index 00000000000..c869a82d5e5 --- /dev/null +++ b/core/app/models/spree/permission_sets/stock_management.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for stock management. + # + # This permission set grants full control over all stock items and read + # access to locations. + class StockManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :stock + end + end + + def activate! + can :manage, Spree::StockItem + can :read, Spree::StockLocation + end + end + end +end diff --git a/core/app/models/spree/permission_sets/super_user.rb b/core/app/models/spree/permission_sets/super_user.rb new file mode 100644 index 00000000000..d2f1ff7e1bb --- /dev/null +++ b/core/app/models/spree/permission_sets/super_user.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for store administration. + # + # This permission set is always added to users with the `:admin` role. + # + # It grants permission to perform any read or write action on any resource. + class SuperUser < PermissionSets::Base + class << self + def privilege + :other + end + + def category + :super_user + end + end + + def activate! + can :manage, :all + end + end + end +end diff --git a/core/app/models/spree/permission_sets/user_display.rb b/core/app/models/spree/permission_sets/user_display.rb new file mode 100644 index 00000000000..793b827207e --- /dev/null +++ b/core/app/models/spree/permission_sets/user_display.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for users, roles and store credits. + # + # This permission set allows users to view all related information about + # users, roles and store credits, also from the admin panel. + class UserDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :user + end + end + + def activate! + can [:read, :admin, :edit, :addresses, :orders, :items], Spree.user_class + can [:read, :admin], Spree::StoreCredit + can :read, Spree::Role + end + end + end +end diff --git a/core/app/models/spree/permission_sets/user_management.rb b/core/app/models/spree/permission_sets/user_management.rb new file mode 100644 index 00000000000..2633204069d --- /dev/null +++ b/core/app/models/spree/permission_sets/user_management.rb @@ -0,0 +1,44 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for user management. + # + # This permission set grants full control over all user and + # related resources, including: + # + # - Users + # - Store credits + # - Roles + # - API keys + class UserManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :user + end + end + + def activate! + can [:admin, :read, :create, :update, :save_in_address_book, :remove_from_address_book, :addresses, :orders, :items], Spree.user_class + + # Note: This does not work with accessible_by. + # See https://github.com/solidusio/solidus/pull/1263 + can :update_email, Spree.user_class do |user| + user.spree_roles.none? + end + can :update_password, Spree.user_class do |user| + user.spree_roles.none? + end + + cannot :destroy, Spree.user_class + can :manage, Spree::StoreCredit + can :manage, :api_key + can :read, Spree::Role + end + end + end +end diff --git a/core/lib/spree/core.rb b/core/lib/spree/core.rb index d91060dd373..7cdf11a3c88 100644 --- a/core/lib/spree/core.rb +++ b/core/lib/spree/core.rb @@ -115,7 +115,6 @@ class GatewayError < RuntimeError; end require 'spree/core/stock_configuration' require 'spree/core/null_promotion_configuration' require 'spree/core/validators/email' -require 'spree/permission_sets' require 'spree/user_class_handle' require 'spree/preferences/store' diff --git a/core/lib/spree/permission_sets.rb b/core/lib/spree/permission_sets.rb index 8c4d80f7fb8..72f6898b795 100644 --- a/core/lib/spree/permission_sets.rb +++ b/core/lib/spree/permission_sets.rb @@ -1,18 +1,7 @@ # frozen_string_literal: true -require 'spree/permission_sets/base' -require 'spree/permission_sets/configuration_display' -require 'spree/permission_sets/configuration_management' -require 'spree/permission_sets/dashboard_display' -require 'spree/permission_sets/default_customer' -require 'spree/permission_sets/order_display' -require 'spree/permission_sets/order_management' -require 'spree/permission_sets/product_display' -require 'spree/permission_sets/product_management' -require 'spree/permission_sets/restricted_stock_display' -require 'spree/permission_sets/restricted_stock_management' -require 'spree/permission_sets/stock_display' -require 'spree/permission_sets/stock_management' -require 'spree/permission_sets/super_user' -require 'spree/permission_sets/user_display' -require 'spree/permission_sets/user_management' +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/base.rb b/core/lib/spree/permission_sets/base.rb index 586c21442e4..72f6898b795 100644 --- a/core/lib/spree/permission_sets/base.rb +++ b/core/lib/spree/permission_sets/base.rb @@ -1,44 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # This is the base class used for crafting permission sets. - # - # This is used by {Spree::RoleConfiguration} when adding custom behavior to {Spree::Ability}. - # See one of the subclasses for example structure such as {Spree::PermissionSets::UserDisplay} - # - # @see Spree::RoleConfiguration - # @see Spree::PermissionSets - class Base - # @param ability [CanCan::Ability] - # The ability that will be extended with the current permission set. - # The ability passed in must respond to #user - def initialize(ability) - @ability = ability - end - - # Activate permissions on the ability. Put your can and cannot statements here. - # Must be overridden by subclasses - def activate! - raise NotImplementedError.new - end - - # Provide the permission set privilege in the form of a :symbol. - # Must be overridden by subclasses. - def self.privilege - raise NotImplementedError, "Subclass #{name} must define a privilege using `self.privilege :symbol`" - end - - # Provide the permission set category in the form of a :symbol. - # Must be overridden by subclasses. - def self.category - raise NotImplementedError, "Subclass #{name} must define a category using `self.category :symbol`" - end - - private - - attr_reader :ability - delegate :can, :cannot, :user, to: :ability - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/configuration_display.rb b/core/lib/spree/permission_sets/configuration_display.rb index a6b2e46cabc..72f6898b795 100644 --- a/core/lib/spree/permission_sets/configuration_display.rb +++ b/core/lib/spree/permission_sets/configuration_display.rb @@ -1,53 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for e-commerce settings. - # - # Roles with this permission will be able to view information, also from the admin - # panel, about: - # - # - Tax categories - # - Tax rates - # - Zones - # - Countries - # - States - # - Payment methods - # - Taxonomies - # - Shipping methods - # - Shipping categories - # - Stock locations - # - Stock movements - # - Refund reasons - # - Reimbursement types - # - Return reasons - class ConfigurationDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :configuration - end - end - - def activate! - can [:read, :admin], Spree::TaxCategory - can [:read, :admin], Spree::TaxRate - can [:read, :admin], Spree::Zone - can [:read, :admin], Spree::Country - can [:read, :admin], Spree::State - can [:read, :admin], Spree::PaymentMethod - can [:read, :admin], Spree::Taxonomy - can [:read, :admin], Spree::ShippingMethod - can [:read, :admin], Spree::ShippingCategory - can [:read, :admin], Spree::StockLocation - can [:read, :admin], Spree::StockMovement - can [:read, :admin], Spree::RefundReason - can [:read, :admin], Spree::ReimbursementType - can [:read, :admin], Spree::ReturnReason - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/configuration_management.rb b/core/lib/spree/permission_sets/configuration_management.rb index 56d0946d7e4..72f6898b795 100644 --- a/core/lib/spree/permission_sets/configuration_management.rb +++ b/core/lib/spree/permission_sets/configuration_management.rb @@ -1,52 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read and write permissions for e-commerce settings. - # - # Roles with this permission set will have full control over: - # - # - Tax categories - # - Tax rates - # - Zones - # - Countries - # - States - # - Payment methods - # - Taxonomies - # - Shipping methods - # - Shipping categories - # - Stock locations - # - Stock movements - # - Refund reasons - # - Reimbursement types - # - Return reasons - class ConfigurationManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :configuration - end - end - - def activate! - can :manage, Spree::TaxCategory - can :manage, Spree::TaxRate - can :manage, Spree::Zone - can :manage, Spree::Country - can :manage, Spree::State - can :manage, Spree::PaymentMethod - can :manage, Spree::Taxonomy - can :manage, Spree::ShippingMethod - can :manage, Spree::ShippingCategory - can :manage, Spree::StockLocation - can :manage, Spree::StockMovement - can :manage, Spree::RefundReason - can :manage, Spree::ReimbursementType - can :manage, Spree::ReturnReason - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/dashboard_display.rb b/core/lib/spree/permission_sets/dashboard_display.rb index 09e43a70b31..72f6898b795 100644 --- a/core/lib/spree/permission_sets/dashboard_display.rb +++ b/core/lib/spree/permission_sets/dashboard_display.rb @@ -1,28 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Permissions for viewing the admin dashboard. - # - # Roles with this permission set will be able to view the admin dashboard, - # which may or not contain sensitive information depending on - # customizations. - class DashboardDisplay < PermissionSets::Base - class << self - def privilege - :other - end - - def category - :dashboard_display - end - end - - def activate! - Spree.deprecator.warn "The #{self.class.name} module is deprecated. " \ - "If you still use dashboards, please copy all controllers and views from #{self.class.name} to your application." - can [:admin, :home], :dashboards - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/default_customer.rb b/core/lib/spree/permission_sets/default_customer.rb index e4d82c216cd..72f6898b795 100644 --- a/core/lib/spree/permission_sets/default_customer.rb +++ b/core/lib/spree/permission_sets/default_customer.rb @@ -1,83 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Permissions for e-commerce customers. - # - # This permission set is always added to the `:default` role, which in turn - # is the default role for all users without any explicit roles. - # - # Permissions include reading and updating orders when the ability's user - # has been assigned as the order's user, unless the order is already - # completed. Same is true for guest checkout orders. - # - # It grants read-only permissions for the following resources typically used - # during a checkout process: - # - # - Zones - # - Countries - # - States - # - Taxons - # - Taxonomies - # - Products - # - Properties - # - Product properties - # - Variants - # - Option types - # - Option values - # - Stock items - # - Stock locations - # - # Abilities with this role can also create refund authorizations for orders - # with the same user, as well as reading and updating the user record and - # their associated cards. - class DefaultCustomer < PermissionSets::Base - class << self - def privilege - :other - end - - def category - :default_customer - end - end - - def activate! - can :read, Country - can :read, OptionType - can :read, OptionValue - can :create, Order do |order, token| - # same user, or both nil - order.user == user || - # guest checkout order - order.email.present? || - # via API, just like with show and update - (order.guest_token.present? && token == order.guest_token) - end - can [:show, :update], Order, Order.where(user:) do |order, token| - order.user == user || (order.guest_token.present? && token == order.guest_token) - end - cannot :update, Order do |order| - order.completed? - end - can :create, ReturnAuthorization do |return_authorization| - return_authorization.order.user == user - end - can [:read, :update], CreditCard, user_id: user.id - can :read, Product - can :read, ProductProperty - can :read, Property - can :create, Spree.user_class - can [:show, :update, :update_email], Spree.user_class, id: user.id - can :read, State - can :read, StockItem, stock_location: { active: true } - can :read, StockLocation, active: true - can :read, Taxon - can :read, Taxonomy - can [:save_in_address_book, :remove_from_address_book], Spree.user_class, id: user.id - can [:read, :view_out_of_stock], Variant - can :read, Zone - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/order_display.rb b/core/lib/spree/permission_sets/order_display.rb index b72e939df0f..72f6898b795 100644 --- a/core/lib/spree/permission_sets/order_display.rb +++ b/core/lib/spree/permission_sets/order_display.rb @@ -1,50 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read permissions for orders. - # - # This permission set allows users to view all related information about - # orders, also from the admin panel, including: - # - # - Orders - # - Payments - # - Shipments - # - Adjustments - # - Line items - # - Return authorizations - # - Customer returns - # - Order cancellations - # - Reimbursements - # - Return items - # - Refunds - # - # However, it does not allow any modifications to be made to any of these - # resources. - class OrderDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :order - end - end - - def activate! - can [:read, :admin, :edit, :cart], Spree::Order - can [:read, :admin], Spree::Payment - can [:read, :admin], Spree::Shipment - can [:read, :admin], Spree::Adjustment - can [:read, :admin], Spree::LineItem - can [:read, :admin], Spree::ReturnAuthorization - can [:read, :admin], Spree::CustomerReturn - can [:read, :admin], Spree::OrderCancellations - can [:read, :admin], Spree::Reimbursement - can [:read, :admin], Spree::ReturnItem - can [:read, :admin], Spree::Refund - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/order_management.rb b/core/lib/spree/permission_sets/order_management.rb index 9b29cf7743d..72f6898b795 100644 --- a/core/lib/spree/permission_sets/order_management.rb +++ b/core/lib/spree/permission_sets/order_management.rb @@ -1,50 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for order management. - # - # This permission set grants full control over all order and related resources, - # including: - # - # - Orders - # - Payments - # - Shipments - # - Adjustments - # - Line items - # - Return authorizations - # - Customer returns - # - Order cancellations - # - Reimbursements - # - Return items - # - Refunds - # - # It also allows reading reimbursement types, but not modifying them. - class OrderManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :order - end - end - - def activate! - can :read, Spree::ReimbursementType - can :manage, Spree::Order - can :manage, Spree::Payment - can :manage, Spree::Shipment - can :manage, Spree::Adjustment - can :manage, Spree::LineItem - can :manage, Spree::ReturnAuthorization - can :manage, Spree::CustomerReturn - can :manage, Spree::OrderCancellations - can :manage, Spree::Reimbursement - can :manage, Spree::ReturnItem - can :manage, Spree::Refund - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/product_display.rb b/core/lib/spree/permission_sets/product_display.rb index d6d281bca60..72f6898b795 100644 --- a/core/lib/spree/permission_sets/product_display.rb +++ b/core/lib/spree/permission_sets/product_display.rb @@ -1,43 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for products. - # - # This permission set allows users to view all related information about - # products, also from the admin panel, including: - # - # - Products - # - Images - # - Variants - # - Option values - # - Product properties - # - Option types - # - Properties - # - Taxonomies - # - Taxons - class ProductDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :product - end - end - - def activate! - can [:read, :admin, :edit], Spree::Product - can [:read, :admin], Spree::Image - can [:read, :admin], Spree::Variant - can [:read, :admin], Spree::OptionValue - can [:read, :admin], Spree::ProductProperty - can [:read, :admin], Spree::OptionType - can [:read, :admin], Spree::Property - can [:read, :admin], Spree::Taxonomy - can [:read, :admin], Spree::Taxon - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/product_management.rb b/core/lib/spree/permission_sets/product_management.rb index c919eef3811..72f6898b795 100644 --- a/core/lib/spree/permission_sets/product_management.rb +++ b/core/lib/spree/permission_sets/product_management.rb @@ -1,47 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for product management. - # - # This permission set grants full control over all product and related resources, - # including: - # - # - Products - # - Images - # - Variants - # - Option values - # - Product properties - # - Option types - # - Properties - # - Taxonomies - # - Taxons - # - Classifications - # - Prices - class ProductManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :product - end - end - - def activate! - can :manage, Spree::Classification - can :manage, Spree::Image - can :manage, Spree::OptionType - can :manage, Spree::OptionValue - can :manage, Spree::Price - can :manage, Spree::Product - can :manage, Spree::ProductProperty - can :manage, Spree::Property - can :manage, Spree::Taxon - can :manage, Spree::Taxonomy - can :manage, Spree::Variant - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/restricted_stock_display.rb b/core/lib/spree/permission_sets/restricted_stock_display.rb index 9bb2137f12c..72f6898b795 100644 --- a/core/lib/spree/permission_sets/restricted_stock_display.rb +++ b/core/lib/spree/permission_sets/restricted_stock_display.rb @@ -1,33 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read permissions for stock limited to allowed locations. - # - # This permission set allows users to view information about stock items and - # locations, both of them limited to locations they have access to. - # Permissions are also granted for the admin panel for items. - class RestrictedStockDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :restricted_stock - end - end - - def activate! - can [:read, :admin], Spree::StockItem, stock_location_id: location_ids - can :read, Spree::StockLocation, id: location_ids - end - - private - - def location_ids - @ids ||= user.stock_locations.pluck(:id) - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/restricted_stock_management.rb b/core/lib/spree/permission_sets/restricted_stock_management.rb index 358f5bf9ab4..72f6898b795 100644 --- a/core/lib/spree/permission_sets/restricted_stock_management.rb +++ b/core/lib/spree/permission_sets/restricted_stock_management.rb @@ -1,33 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for stock management limited to allowed locations. - # - # This permission set grants full control over all stock items a user has - # access to their locations. Those locations are also readable by the - # corresponding ability. - class RestrictedStockManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :restricted_stock - end - end - - def activate! - can :manage, Spree::StockItem, stock_location_id: location_ids - can :read, Spree::StockLocation, id: location_ids - end - - private - - def location_ids - @ids ||= user.stock_locations.pluck(:id) - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/stock_display.rb b/core/lib/spree/permission_sets/stock_display.rb index a7b1ae0a104..72f6898b795 100644 --- a/core/lib/spree/permission_sets/stock_display.rb +++ b/core/lib/spree/permission_sets/stock_display.rb @@ -1,26 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for stock. - # - # This permission set allows users to view information about stock items - # (also from the admin panel) and stock locations. - class StockDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :stock - end - end - - def activate! - can [:read, :admin], Spree::StockItem - can :read, Spree::StockLocation - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/stock_management.rb b/core/lib/spree/permission_sets/stock_management.rb index c869a82d5e5..72f6898b795 100644 --- a/core/lib/spree/permission_sets/stock_management.rb +++ b/core/lib/spree/permission_sets/stock_management.rb @@ -1,26 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for stock management. - # - # This permission set grants full control over all stock items and read - # access to locations. - class StockManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :stock - end - end - - def activate! - can :manage, Spree::StockItem - can :read, Spree::StockLocation - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/super_user.rb b/core/lib/spree/permission_sets/super_user.rb index d2f1ff7e1bb..72f6898b795 100644 --- a/core/lib/spree/permission_sets/super_user.rb +++ b/core/lib/spree/permission_sets/super_user.rb @@ -1,26 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for store administration. - # - # This permission set is always added to users with the `:admin` role. - # - # It grants permission to perform any read or write action on any resource. - class SuperUser < PermissionSets::Base - class << self - def privilege - :other - end - - def category - :super_user - end - end - - def activate! - can :manage, :all - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/user_display.rb b/core/lib/spree/permission_sets/user_display.rb index 793b827207e..72f6898b795 100644 --- a/core/lib/spree/permission_sets/user_display.rb +++ b/core/lib/spree/permission_sets/user_display.rb @@ -1,27 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for users, roles and store credits. - # - # This permission set allows users to view all related information about - # users, roles and store credits, also from the admin panel. - class UserDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :user - end - end - - def activate! - can [:read, :admin, :edit, :addresses, :orders, :items], Spree.user_class - can [:read, :admin], Spree::StoreCredit - can :read, Spree::Role - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/user_management.rb b/core/lib/spree/permission_sets/user_management.rb index 2633204069d..72f6898b795 100644 --- a/core/lib/spree/permission_sets/user_management.rb +++ b/core/lib/spree/permission_sets/user_management.rb @@ -1,44 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for user management. - # - # This permission set grants full control over all user and - # related resources, including: - # - # - Users - # - Store credits - # - Roles - # - API keys - class UserManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :user - end - end - - def activate! - can [:admin, :read, :create, :update, :save_in_address_book, :remove_from_address_book, :addresses, :orders, :items], Spree.user_class - - # Note: This does not work with accessible_by. - # See https://github.com/solidusio/solidus/pull/1263 - can :update_email, Spree.user_class do |user| - user.spree_roles.none? - end - can :update_password, Spree.user_class do |user| - user.spree_roles.none? - end - - cannot :destroy, Spree.user_class - can :manage, Spree::StoreCredit - can :manage, :api_key - can :read, Spree::Role - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) From af449d9a815c9c19f1164dacd8908084dd1ceb4e Mon Sep 17 00:00:00 2001 From: Martin Meyerhoff Date: Thu, 23 Jan 2025 11:35:12 +0100 Subject: [PATCH 4/5] Fix Rubocop offenses --- .rubocop_todo.yml | 3 -- core/app/models/spree/permission_sets/base.rb | 1 + .../permission_sets/configuration_display.rb | 28 +++++++++---------- .../spree/permission_sets/default_customer.rb | 8 +++--- .../spree/permission_sets/user_management.rb | 2 +- 5 files changed, 20 insertions(+), 22 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 68d5e497301..01036cce43f 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -92,7 +92,6 @@ Layout/EmptyLinesAroundAttributeAccessor: - "core/app/models/spree/stock_quantities.rb" - "core/app/models/spree/variant.rb" - "core/lib/spree/app_configuration.rb" - - "core/lib/spree/permission_sets/base.rb" - "core/lib/spree/preferences/configuration.rb" - "core/spec/lib/spree/core/validators/email_spec.rb" - "core/spec/models/spree/preferences/statically_configurable_spec.rb" @@ -145,7 +144,6 @@ Layout/MultilineOperationIndentation: Exclude: - "core/lib/spree/core/engine.rb" - "core/lib/spree/core/importer/order.rb" - - "core/lib/spree/permission_sets/default_customer.rb" - "core/lib/spree/testing_support/factories/address_factory.rb" # Offense count: 3 @@ -525,7 +523,6 @@ Style/CommentAnnotation: - "backend/app/controllers/spree/admin/products_controller.rb" - "backend/app/controllers/spree/admin/resource_controller.rb" - "core/app/models/spree/payment_method/store_credit.rb" - - "core/lib/spree/permission_sets/user_management.rb" - "core/lib/spree/testing_support/rake.rb" - "core/spec/models/spree/variant/scopes_spec.rb" diff --git a/core/app/models/spree/permission_sets/base.rb b/core/app/models/spree/permission_sets/base.rb index 586c21442e4..249f454d670 100644 --- a/core/app/models/spree/permission_sets/base.rb +++ b/core/app/models/spree/permission_sets/base.rb @@ -38,6 +38,7 @@ def self.category private attr_reader :ability + delegate :can, :cannot, :user, to: :ability end end diff --git a/core/app/models/spree/permission_sets/configuration_display.rb b/core/app/models/spree/permission_sets/configuration_display.rb index a6b2e46cabc..42f885abfa1 100644 --- a/core/app/models/spree/permission_sets/configuration_display.rb +++ b/core/app/models/spree/permission_sets/configuration_display.rb @@ -33,20 +33,20 @@ def category end def activate! - can [:read, :admin], Spree::TaxCategory - can [:read, :admin], Spree::TaxRate - can [:read, :admin], Spree::Zone - can [:read, :admin], Spree::Country - can [:read, :admin], Spree::State - can [:read, :admin], Spree::PaymentMethod - can [:read, :admin], Spree::Taxonomy - can [:read, :admin], Spree::ShippingMethod - can [:read, :admin], Spree::ShippingCategory - can [:read, :admin], Spree::StockLocation - can [:read, :admin], Spree::StockMovement - can [:read, :admin], Spree::RefundReason - can [:read, :admin], Spree::ReimbursementType - can [:read, :admin], Spree::ReturnReason + can [:read, :admin], Spree::TaxCategory + can [:read, :admin], Spree::TaxRate + can [:read, :admin], Spree::Zone + can [:read, :admin], Spree::Country + can [:read, :admin], Spree::State + can [:read, :admin], Spree::PaymentMethod + can [:read, :admin], Spree::Taxonomy + can [:read, :admin], Spree::ShippingMethod + can [:read, :admin], Spree::ShippingCategory + can [:read, :admin], Spree::StockLocation + can [:read, :admin], Spree::StockMovement + can [:read, :admin], Spree::RefundReason + can [:read, :admin], Spree::ReimbursementType + can [:read, :admin], Spree::ReturnReason end end end diff --git a/core/app/models/spree/permission_sets/default_customer.rb b/core/app/models/spree/permission_sets/default_customer.rb index e4d82c216cd..eb01825f4ff 100644 --- a/core/app/models/spree/permission_sets/default_customer.rb +++ b/core/app/models/spree/permission_sets/default_customer.rb @@ -49,10 +49,10 @@ def activate! can :create, Order do |order, token| # same user, or both nil order.user == user || - # guest checkout order - order.email.present? || - # via API, just like with show and update - (order.guest_token.present? && token == order.guest_token) + # guest checkout order + order.email.present? || + # via API, just like with show and update + (order.guest_token.present? && token == order.guest_token) end can [:show, :update], Order, Order.where(user:) do |order, token| order.user == user || (order.guest_token.present? && token == order.guest_token) diff --git a/core/app/models/spree/permission_sets/user_management.rb b/core/app/models/spree/permission_sets/user_management.rb index 2633204069d..690b2ea61b7 100644 --- a/core/app/models/spree/permission_sets/user_management.rb +++ b/core/app/models/spree/permission_sets/user_management.rb @@ -25,7 +25,7 @@ def category def activate! can [:admin, :read, :create, :update, :save_in_address_book, :remove_from_address_book, :addresses, :orders, :items], Spree.user_class - # Note: This does not work with accessible_by. + # NOTE: This does not work with accessible_by. # See https://github.com/solidusio/solidus/pull/1263 can :update_email, Spree.user_class do |user| user.spree_roles.none? From fba1c160ae06e33d4fc9f0306b52faeb5324bcd1 Mon Sep 17 00:00:00 2001 From: Martin Meyerhoff Date: Thu, 23 Jan 2025 12:58:08 +0100 Subject: [PATCH 5/5] Move default customer spec from spec/lib to spec/models We had two spec files for this functionality. --- .../permission_sets/default_customer_spec.rb | 22 ------------------- .../permission_sets/default_customer_spec.rb | 17 ++++++++++++++ 2 files changed, 17 insertions(+), 22 deletions(-) delete mode 100644 core/spec/lib/spree/permission_sets/default_customer_spec.rb diff --git a/core/spec/lib/spree/permission_sets/default_customer_spec.rb b/core/spec/lib/spree/permission_sets/default_customer_spec.rb deleted file mode 100644 index 1db965f3202..00000000000 --- a/core/spec/lib/spree/permission_sets/default_customer_spec.rb +++ /dev/null @@ -1,22 +0,0 @@ -# frozen_string_literal: true - -require 'rails_helper' - -RSpec.describe Spree::PermissionSets::DefaultCustomer do - context 'as Guest User' do - context 'for Order' do - context 'guest_token is empty string' do - let(:ability) { Spree::Ability.new(nil) } - let(:resource) { build(:order) } - let(:token) { '' } - - it 'should not be allowed to read or update the order' do - allow(resource).to receive_messages(guest_token: '') - - expect(ability).to_not be_able_to(:show, resource, token) - expect(ability).to_not be_able_to(:show, resource, token) - end - end - end - end -end diff --git a/core/spec/models/spree/permission_sets/default_customer_spec.rb b/core/spec/models/spree/permission_sets/default_customer_spec.rb index 7d9cf4a5480..49acd1b9ebc 100644 --- a/core/spec/models/spree/permission_sets/default_customer_spec.rb +++ b/core/spec/models/spree/permission_sets/default_customer_spec.rb @@ -15,4 +15,21 @@ expect(described_class.category).to eq(:default_customer) end end + + context 'as Guest User' do + context 'for Order' do + context 'guest_token is empty string' do + let(:ability) { Spree::Ability.new(nil) } + let(:resource) { build(:order) } + let(:token) { '' } + + it 'should not be allowed to read or update the order' do + allow(resource).to receive_messages(guest_token: '') + + expect(ability).to_not be_able_to(:show, resource, token) + expect(ability).to_not be_able_to(:show, resource, token) + end + end + end + end end