diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 68d5e497301..01036cce43f 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -92,7 +92,6 @@ Layout/EmptyLinesAroundAttributeAccessor: - "core/app/models/spree/stock_quantities.rb" - "core/app/models/spree/variant.rb" - "core/lib/spree/app_configuration.rb" - - "core/lib/spree/permission_sets/base.rb" - "core/lib/spree/preferences/configuration.rb" - "core/spec/lib/spree/core/validators/email_spec.rb" - "core/spec/models/spree/preferences/statically_configurable_spec.rb" @@ -145,7 +144,6 @@ Layout/MultilineOperationIndentation: Exclude: - "core/lib/spree/core/engine.rb" - "core/lib/spree/core/importer/order.rb" - - "core/lib/spree/permission_sets/default_customer.rb" - "core/lib/spree/testing_support/factories/address_factory.rb" # Offense count: 3 @@ -525,7 +523,6 @@ Style/CommentAnnotation: - "backend/app/controllers/spree/admin/products_controller.rb" - "backend/app/controllers/spree/admin/resource_controller.rb" - "core/app/models/spree/payment_method/store_credit.rb" - - "core/lib/spree/permission_sets/user_management.rb" - "core/lib/spree/testing_support/rake.rb" - "core/spec/models/spree/variant/scopes_spec.rb" diff --git a/core/app/models/spree/permission_sets/base.rb b/core/app/models/spree/permission_sets/base.rb new file mode 100644 index 00000000000..249f454d670 --- /dev/null +++ b/core/app/models/spree/permission_sets/base.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # This is the base class used for crafting permission sets. + # + # This is used by {Spree::RoleConfiguration} when adding custom behavior to {Spree::Ability}. + # See one of the subclasses for example structure such as {Spree::PermissionSets::UserDisplay} + # + # @see Spree::RoleConfiguration + # @see Spree::PermissionSets + class Base + # @param ability [CanCan::Ability] + # The ability that will be extended with the current permission set. + # The ability passed in must respond to #user + def initialize(ability) + @ability = ability + end + + # Activate permissions on the ability. Put your can and cannot statements here. + # Must be overridden by subclasses + def activate! + raise NotImplementedError.new + end + + # Provide the permission set privilege in the form of a :symbol. + # Must be overridden by subclasses. + def self.privilege + raise NotImplementedError, "Subclass #{name} must define a privilege using `self.privilege :symbol`" + end + + # Provide the permission set category in the form of a :symbol. + # Must be overridden by subclasses. + def self.category + raise NotImplementedError, "Subclass #{name} must define a category using `self.category :symbol`" + end + + private + + attr_reader :ability + + delegate :can, :cannot, :user, to: :ability + end + end +end diff --git a/core/app/models/spree/permission_sets/configuration_display.rb b/core/app/models/spree/permission_sets/configuration_display.rb new file mode 100644 index 00000000000..42f885abfa1 --- /dev/null +++ b/core/app/models/spree/permission_sets/configuration_display.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for e-commerce settings. + # + # Roles with this permission will be able to view information, also from the admin + # panel, about: + # + # - Tax categories + # - Tax rates + # - Zones + # - Countries + # - States + # - Payment methods + # - Taxonomies + # - Shipping methods + # - Shipping categories + # - Stock locations + # - Stock movements + # - Refund reasons + # - Reimbursement types + # - Return reasons + class ConfigurationDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :configuration + end + end + + def activate! + can [:read, :admin], Spree::TaxCategory + can [:read, :admin], Spree::TaxRate + can [:read, :admin], Spree::Zone + can [:read, :admin], Spree::Country + can [:read, :admin], Spree::State + can [:read, :admin], Spree::PaymentMethod + can [:read, :admin], Spree::Taxonomy + can [:read, :admin], Spree::ShippingMethod + can [:read, :admin], Spree::ShippingCategory + can [:read, :admin], Spree::StockLocation + can [:read, :admin], Spree::StockMovement + can [:read, :admin], Spree::RefundReason + can [:read, :admin], Spree::ReimbursementType + can [:read, :admin], Spree::ReturnReason + end + end + end +end diff --git a/core/app/models/spree/permission_sets/configuration_management.rb b/core/app/models/spree/permission_sets/configuration_management.rb new file mode 100644 index 00000000000..56d0946d7e4 --- /dev/null +++ b/core/app/models/spree/permission_sets/configuration_management.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read and write permissions for e-commerce settings. + # + # Roles with this permission set will have full control over: + # + # - Tax categories + # - Tax rates + # - Zones + # - Countries + # - States + # - Payment methods + # - Taxonomies + # - Shipping methods + # - Shipping categories + # - Stock locations + # - Stock movements + # - Refund reasons + # - Reimbursement types + # - Return reasons + class ConfigurationManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :configuration + end + end + + def activate! + can :manage, Spree::TaxCategory + can :manage, Spree::TaxRate + can :manage, Spree::Zone + can :manage, Spree::Country + can :manage, Spree::State + can :manage, Spree::PaymentMethod + can :manage, Spree::Taxonomy + can :manage, Spree::ShippingMethod + can :manage, Spree::ShippingCategory + can :manage, Spree::StockLocation + can :manage, Spree::StockMovement + can :manage, Spree::RefundReason + can :manage, Spree::ReimbursementType + can :manage, Spree::ReturnReason + end + end + end +end diff --git a/core/app/models/spree/permission_sets/dashboard_display.rb b/core/app/models/spree/permission_sets/dashboard_display.rb new file mode 100644 index 00000000000..09e43a70b31 --- /dev/null +++ b/core/app/models/spree/permission_sets/dashboard_display.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Permissions for viewing the admin dashboard. + # + # Roles with this permission set will be able to view the admin dashboard, + # which may or not contain sensitive information depending on + # customizations. + class DashboardDisplay < PermissionSets::Base + class << self + def privilege + :other + end + + def category + :dashboard_display + end + end + + def activate! + Spree.deprecator.warn "The #{self.class.name} module is deprecated. " \ + "If you still use dashboards, please copy all controllers and views from #{self.class.name} to your application." + can [:admin, :home], :dashboards + end + end + end +end diff --git a/core/app/models/spree/permission_sets/default_customer.rb b/core/app/models/spree/permission_sets/default_customer.rb new file mode 100644 index 00000000000..eb01825f4ff --- /dev/null +++ b/core/app/models/spree/permission_sets/default_customer.rb @@ -0,0 +1,83 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Permissions for e-commerce customers. + # + # This permission set is always added to the `:default` role, which in turn + # is the default role for all users without any explicit roles. + # + # Permissions include reading and updating orders when the ability's user + # has been assigned as the order's user, unless the order is already + # completed. Same is true for guest checkout orders. + # + # It grants read-only permissions for the following resources typically used + # during a checkout process: + # + # - Zones + # - Countries + # - States + # - Taxons + # - Taxonomies + # - Products + # - Properties + # - Product properties + # - Variants + # - Option types + # - Option values + # - Stock items + # - Stock locations + # + # Abilities with this role can also create refund authorizations for orders + # with the same user, as well as reading and updating the user record and + # their associated cards. + class DefaultCustomer < PermissionSets::Base + class << self + def privilege + :other + end + + def category + :default_customer + end + end + + def activate! + can :read, Country + can :read, OptionType + can :read, OptionValue + can :create, Order do |order, token| + # same user, or both nil + order.user == user || + # guest checkout order + order.email.present? || + # via API, just like with show and update + (order.guest_token.present? && token == order.guest_token) + end + can [:show, :update], Order, Order.where(user:) do |order, token| + order.user == user || (order.guest_token.present? && token == order.guest_token) + end + cannot :update, Order do |order| + order.completed? + end + can :create, ReturnAuthorization do |return_authorization| + return_authorization.order.user == user + end + can [:read, :update], CreditCard, user_id: user.id + can :read, Product + can :read, ProductProperty + can :read, Property + can :create, Spree.user_class + can [:show, :update, :update_email], Spree.user_class, id: user.id + can :read, State + can :read, StockItem, stock_location: { active: true } + can :read, StockLocation, active: true + can :read, Taxon + can :read, Taxonomy + can [:save_in_address_book, :remove_from_address_book], Spree.user_class, id: user.id + can [:read, :view_out_of_stock], Variant + can :read, Zone + end + end + end +end diff --git a/core/app/models/spree/permission_sets/order_display.rb b/core/app/models/spree/permission_sets/order_display.rb new file mode 100644 index 00000000000..b72e939df0f --- /dev/null +++ b/core/app/models/spree/permission_sets/order_display.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read permissions for orders. + # + # This permission set allows users to view all related information about + # orders, also from the admin panel, including: + # + # - Orders + # - Payments + # - Shipments + # - Adjustments + # - Line items + # - Return authorizations + # - Customer returns + # - Order cancellations + # - Reimbursements + # - Return items + # - Refunds + # + # However, it does not allow any modifications to be made to any of these + # resources. + class OrderDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :order + end + end + + def activate! + can [:read, :admin, :edit, :cart], Spree::Order + can [:read, :admin], Spree::Payment + can [:read, :admin], Spree::Shipment + can [:read, :admin], Spree::Adjustment + can [:read, :admin], Spree::LineItem + can [:read, :admin], Spree::ReturnAuthorization + can [:read, :admin], Spree::CustomerReturn + can [:read, :admin], Spree::OrderCancellations + can [:read, :admin], Spree::Reimbursement + can [:read, :admin], Spree::ReturnItem + can [:read, :admin], Spree::Refund + end + end + end +end diff --git a/core/app/models/spree/permission_sets/order_management.rb b/core/app/models/spree/permission_sets/order_management.rb new file mode 100644 index 00000000000..9b29cf7743d --- /dev/null +++ b/core/app/models/spree/permission_sets/order_management.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for order management. + # + # This permission set grants full control over all order and related resources, + # including: + # + # - Orders + # - Payments + # - Shipments + # - Adjustments + # - Line items + # - Return authorizations + # - Customer returns + # - Order cancellations + # - Reimbursements + # - Return items + # - Refunds + # + # It also allows reading reimbursement types, but not modifying them. + class OrderManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :order + end + end + + def activate! + can :read, Spree::ReimbursementType + can :manage, Spree::Order + can :manage, Spree::Payment + can :manage, Spree::Shipment + can :manage, Spree::Adjustment + can :manage, Spree::LineItem + can :manage, Spree::ReturnAuthorization + can :manage, Spree::CustomerReturn + can :manage, Spree::OrderCancellations + can :manage, Spree::Reimbursement + can :manage, Spree::ReturnItem + can :manage, Spree::Refund + end + end + end +end diff --git a/core/app/models/spree/permission_sets/product_display.rb b/core/app/models/spree/permission_sets/product_display.rb new file mode 100644 index 00000000000..d6d281bca60 --- /dev/null +++ b/core/app/models/spree/permission_sets/product_display.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for products. + # + # This permission set allows users to view all related information about + # products, also from the admin panel, including: + # + # - Products + # - Images + # - Variants + # - Option values + # - Product properties + # - Option types + # - Properties + # - Taxonomies + # - Taxons + class ProductDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :product + end + end + + def activate! + can [:read, :admin, :edit], Spree::Product + can [:read, :admin], Spree::Image + can [:read, :admin], Spree::Variant + can [:read, :admin], Spree::OptionValue + can [:read, :admin], Spree::ProductProperty + can [:read, :admin], Spree::OptionType + can [:read, :admin], Spree::Property + can [:read, :admin], Spree::Taxonomy + can [:read, :admin], Spree::Taxon + end + end + end +end diff --git a/core/app/models/spree/permission_sets/product_management.rb b/core/app/models/spree/permission_sets/product_management.rb new file mode 100644 index 00000000000..c919eef3811 --- /dev/null +++ b/core/app/models/spree/permission_sets/product_management.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for product management. + # + # This permission set grants full control over all product and related resources, + # including: + # + # - Products + # - Images + # - Variants + # - Option values + # - Product properties + # - Option types + # - Properties + # - Taxonomies + # - Taxons + # - Classifications + # - Prices + class ProductManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :product + end + end + + def activate! + can :manage, Spree::Classification + can :manage, Spree::Image + can :manage, Spree::OptionType + can :manage, Spree::OptionValue + can :manage, Spree::Price + can :manage, Spree::Product + can :manage, Spree::ProductProperty + can :manage, Spree::Property + can :manage, Spree::Taxon + can :manage, Spree::Taxonomy + can :manage, Spree::Variant + end + end + end +end diff --git a/core/app/models/spree/permission_sets/restricted_stock_display.rb b/core/app/models/spree/permission_sets/restricted_stock_display.rb new file mode 100644 index 00000000000..9bb2137f12c --- /dev/null +++ b/core/app/models/spree/permission_sets/restricted_stock_display.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read permissions for stock limited to allowed locations. + # + # This permission set allows users to view information about stock items and + # locations, both of them limited to locations they have access to. + # Permissions are also granted for the admin panel for items. + class RestrictedStockDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :restricted_stock + end + end + + def activate! + can [:read, :admin], Spree::StockItem, stock_location_id: location_ids + can :read, Spree::StockLocation, id: location_ids + end + + private + + def location_ids + @ids ||= user.stock_locations.pluck(:id) + end + end + end +end diff --git a/core/app/models/spree/permission_sets/restricted_stock_management.rb b/core/app/models/spree/permission_sets/restricted_stock_management.rb new file mode 100644 index 00000000000..358f5bf9ab4 --- /dev/null +++ b/core/app/models/spree/permission_sets/restricted_stock_management.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for stock management limited to allowed locations. + # + # This permission set grants full control over all stock items a user has + # access to their locations. Those locations are also readable by the + # corresponding ability. + class RestrictedStockManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :restricted_stock + end + end + + def activate! + can :manage, Spree::StockItem, stock_location_id: location_ids + can :read, Spree::StockLocation, id: location_ids + end + + private + + def location_ids + @ids ||= user.stock_locations.pluck(:id) + end + end + end +end diff --git a/core/app/models/spree/permission_sets/stock_display.rb b/core/app/models/spree/permission_sets/stock_display.rb new file mode 100644 index 00000000000..a7b1ae0a104 --- /dev/null +++ b/core/app/models/spree/permission_sets/stock_display.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for stock. + # + # This permission set allows users to view information about stock items + # (also from the admin panel) and stock locations. + class StockDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :stock + end + end + + def activate! + can [:read, :admin], Spree::StockItem + can :read, Spree::StockLocation + end + end + end +end diff --git a/core/app/models/spree/permission_sets/stock_management.rb b/core/app/models/spree/permission_sets/stock_management.rb new file mode 100644 index 00000000000..c869a82d5e5 --- /dev/null +++ b/core/app/models/spree/permission_sets/stock_management.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for stock management. + # + # This permission set grants full control over all stock items and read + # access to locations. + class StockManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :stock + end + end + + def activate! + can :manage, Spree::StockItem + can :read, Spree::StockLocation + end + end + end +end diff --git a/core/app/models/spree/permission_sets/super_user.rb b/core/app/models/spree/permission_sets/super_user.rb new file mode 100644 index 00000000000..d2f1ff7e1bb --- /dev/null +++ b/core/app/models/spree/permission_sets/super_user.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for store administration. + # + # This permission set is always added to users with the `:admin` role. + # + # It grants permission to perform any read or write action on any resource. + class SuperUser < PermissionSets::Base + class << self + def privilege + :other + end + + def category + :super_user + end + end + + def activate! + can :manage, :all + end + end + end +end diff --git a/core/app/models/spree/permission_sets/user_display.rb b/core/app/models/spree/permission_sets/user_display.rb new file mode 100644 index 00000000000..793b827207e --- /dev/null +++ b/core/app/models/spree/permission_sets/user_display.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Read-only permissions for users, roles and store credits. + # + # This permission set allows users to view all related information about + # users, roles and store credits, also from the admin panel. + class UserDisplay < PermissionSets::Base + class << self + def privilege + :display + end + + def category + :user + end + end + + def activate! + can [:read, :admin, :edit, :addresses, :orders, :items], Spree.user_class + can [:read, :admin], Spree::StoreCredit + can :read, Spree::Role + end + end + end +end diff --git a/core/app/models/spree/permission_sets/user_management.rb b/core/app/models/spree/permission_sets/user_management.rb new file mode 100644 index 00000000000..690b2ea61b7 --- /dev/null +++ b/core/app/models/spree/permission_sets/user_management.rb @@ -0,0 +1,44 @@ +# frozen_string_literal: true + +module Spree + module PermissionSets + # Full permissions for user management. + # + # This permission set grants full control over all user and + # related resources, including: + # + # - Users + # - Store credits + # - Roles + # - API keys + class UserManagement < PermissionSets::Base + class << self + def privilege + :management + end + + def category + :user + end + end + + def activate! + can [:admin, :read, :create, :update, :save_in_address_book, :remove_from_address_book, :addresses, :orders, :items], Spree.user_class + + # NOTE: This does not work with accessible_by. + # See https://github.com/solidusio/solidus/pull/1263 + can :update_email, Spree.user_class do |user| + user.spree_roles.none? + end + can :update_password, Spree.user_class do |user| + user.spree_roles.none? + end + + cannot :destroy, Spree.user_class + can :manage, Spree::StoreCredit + can :manage, :api_key + can :read, Spree::Role + end + end + end +end diff --git a/core/lib/spree/core.rb b/core/lib/spree/core.rb index d91060dd373..7cdf11a3c88 100644 --- a/core/lib/spree/core.rb +++ b/core/lib/spree/core.rb @@ -115,7 +115,6 @@ class GatewayError < RuntimeError; end require 'spree/core/stock_configuration' require 'spree/core/null_promotion_configuration' require 'spree/core/validators/email' -require 'spree/permission_sets' require 'spree/user_class_handle' require 'spree/preferences/store' diff --git a/core/lib/spree/permission_sets.rb b/core/lib/spree/permission_sets.rb index 8c4d80f7fb8..72f6898b795 100644 --- a/core/lib/spree/permission_sets.rb +++ b/core/lib/spree/permission_sets.rb @@ -1,18 +1,7 @@ # frozen_string_literal: true -require 'spree/permission_sets/base' -require 'spree/permission_sets/configuration_display' -require 'spree/permission_sets/configuration_management' -require 'spree/permission_sets/dashboard_display' -require 'spree/permission_sets/default_customer' -require 'spree/permission_sets/order_display' -require 'spree/permission_sets/order_management' -require 'spree/permission_sets/product_display' -require 'spree/permission_sets/product_management' -require 'spree/permission_sets/restricted_stock_display' -require 'spree/permission_sets/restricted_stock_management' -require 'spree/permission_sets/stock_display' -require 'spree/permission_sets/stock_management' -require 'spree/permission_sets/super_user' -require 'spree/permission_sets/user_display' -require 'spree/permission_sets/user_management' +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/base.rb b/core/lib/spree/permission_sets/base.rb index 586c21442e4..72f6898b795 100644 --- a/core/lib/spree/permission_sets/base.rb +++ b/core/lib/spree/permission_sets/base.rb @@ -1,44 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # This is the base class used for crafting permission sets. - # - # This is used by {Spree::RoleConfiguration} when adding custom behavior to {Spree::Ability}. - # See one of the subclasses for example structure such as {Spree::PermissionSets::UserDisplay} - # - # @see Spree::RoleConfiguration - # @see Spree::PermissionSets - class Base - # @param ability [CanCan::Ability] - # The ability that will be extended with the current permission set. - # The ability passed in must respond to #user - def initialize(ability) - @ability = ability - end - - # Activate permissions on the ability. Put your can and cannot statements here. - # Must be overridden by subclasses - def activate! - raise NotImplementedError.new - end - - # Provide the permission set privilege in the form of a :symbol. - # Must be overridden by subclasses. - def self.privilege - raise NotImplementedError, "Subclass #{name} must define a privilege using `self.privilege :symbol`" - end - - # Provide the permission set category in the form of a :symbol. - # Must be overridden by subclasses. - def self.category - raise NotImplementedError, "Subclass #{name} must define a category using `self.category :symbol`" - end - - private - - attr_reader :ability - delegate :can, :cannot, :user, to: :ability - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/configuration_display.rb b/core/lib/spree/permission_sets/configuration_display.rb index a6b2e46cabc..72f6898b795 100644 --- a/core/lib/spree/permission_sets/configuration_display.rb +++ b/core/lib/spree/permission_sets/configuration_display.rb @@ -1,53 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for e-commerce settings. - # - # Roles with this permission will be able to view information, also from the admin - # panel, about: - # - # - Tax categories - # - Tax rates - # - Zones - # - Countries - # - States - # - Payment methods - # - Taxonomies - # - Shipping methods - # - Shipping categories - # - Stock locations - # - Stock movements - # - Refund reasons - # - Reimbursement types - # - Return reasons - class ConfigurationDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :configuration - end - end - - def activate! - can [:read, :admin], Spree::TaxCategory - can [:read, :admin], Spree::TaxRate - can [:read, :admin], Spree::Zone - can [:read, :admin], Spree::Country - can [:read, :admin], Spree::State - can [:read, :admin], Spree::PaymentMethod - can [:read, :admin], Spree::Taxonomy - can [:read, :admin], Spree::ShippingMethod - can [:read, :admin], Spree::ShippingCategory - can [:read, :admin], Spree::StockLocation - can [:read, :admin], Spree::StockMovement - can [:read, :admin], Spree::RefundReason - can [:read, :admin], Spree::ReimbursementType - can [:read, :admin], Spree::ReturnReason - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/configuration_management.rb b/core/lib/spree/permission_sets/configuration_management.rb index 56d0946d7e4..72f6898b795 100644 --- a/core/lib/spree/permission_sets/configuration_management.rb +++ b/core/lib/spree/permission_sets/configuration_management.rb @@ -1,52 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read and write permissions for e-commerce settings. - # - # Roles with this permission set will have full control over: - # - # - Tax categories - # - Tax rates - # - Zones - # - Countries - # - States - # - Payment methods - # - Taxonomies - # - Shipping methods - # - Shipping categories - # - Stock locations - # - Stock movements - # - Refund reasons - # - Reimbursement types - # - Return reasons - class ConfigurationManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :configuration - end - end - - def activate! - can :manage, Spree::TaxCategory - can :manage, Spree::TaxRate - can :manage, Spree::Zone - can :manage, Spree::Country - can :manage, Spree::State - can :manage, Spree::PaymentMethod - can :manage, Spree::Taxonomy - can :manage, Spree::ShippingMethod - can :manage, Spree::ShippingCategory - can :manage, Spree::StockLocation - can :manage, Spree::StockMovement - can :manage, Spree::RefundReason - can :manage, Spree::ReimbursementType - can :manage, Spree::ReturnReason - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/dashboard_display.rb b/core/lib/spree/permission_sets/dashboard_display.rb index 09e43a70b31..72f6898b795 100644 --- a/core/lib/spree/permission_sets/dashboard_display.rb +++ b/core/lib/spree/permission_sets/dashboard_display.rb @@ -1,28 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Permissions for viewing the admin dashboard. - # - # Roles with this permission set will be able to view the admin dashboard, - # which may or not contain sensitive information depending on - # customizations. - class DashboardDisplay < PermissionSets::Base - class << self - def privilege - :other - end - - def category - :dashboard_display - end - end - - def activate! - Spree.deprecator.warn "The #{self.class.name} module is deprecated. " \ - "If you still use dashboards, please copy all controllers and views from #{self.class.name} to your application." - can [:admin, :home], :dashboards - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/default_customer.rb b/core/lib/spree/permission_sets/default_customer.rb index e4d82c216cd..72f6898b795 100644 --- a/core/lib/spree/permission_sets/default_customer.rb +++ b/core/lib/spree/permission_sets/default_customer.rb @@ -1,83 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Permissions for e-commerce customers. - # - # This permission set is always added to the `:default` role, which in turn - # is the default role for all users without any explicit roles. - # - # Permissions include reading and updating orders when the ability's user - # has been assigned as the order's user, unless the order is already - # completed. Same is true for guest checkout orders. - # - # It grants read-only permissions for the following resources typically used - # during a checkout process: - # - # - Zones - # - Countries - # - States - # - Taxons - # - Taxonomies - # - Products - # - Properties - # - Product properties - # - Variants - # - Option types - # - Option values - # - Stock items - # - Stock locations - # - # Abilities with this role can also create refund authorizations for orders - # with the same user, as well as reading and updating the user record and - # their associated cards. - class DefaultCustomer < PermissionSets::Base - class << self - def privilege - :other - end - - def category - :default_customer - end - end - - def activate! - can :read, Country - can :read, OptionType - can :read, OptionValue - can :create, Order do |order, token| - # same user, or both nil - order.user == user || - # guest checkout order - order.email.present? || - # via API, just like with show and update - (order.guest_token.present? && token == order.guest_token) - end - can [:show, :update], Order, Order.where(user:) do |order, token| - order.user == user || (order.guest_token.present? && token == order.guest_token) - end - cannot :update, Order do |order| - order.completed? - end - can :create, ReturnAuthorization do |return_authorization| - return_authorization.order.user == user - end - can [:read, :update], CreditCard, user_id: user.id - can :read, Product - can :read, ProductProperty - can :read, Property - can :create, Spree.user_class - can [:show, :update, :update_email], Spree.user_class, id: user.id - can :read, State - can :read, StockItem, stock_location: { active: true } - can :read, StockLocation, active: true - can :read, Taxon - can :read, Taxonomy - can [:save_in_address_book, :remove_from_address_book], Spree.user_class, id: user.id - can [:read, :view_out_of_stock], Variant - can :read, Zone - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/order_display.rb b/core/lib/spree/permission_sets/order_display.rb index b72e939df0f..72f6898b795 100644 --- a/core/lib/spree/permission_sets/order_display.rb +++ b/core/lib/spree/permission_sets/order_display.rb @@ -1,50 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read permissions for orders. - # - # This permission set allows users to view all related information about - # orders, also from the admin panel, including: - # - # - Orders - # - Payments - # - Shipments - # - Adjustments - # - Line items - # - Return authorizations - # - Customer returns - # - Order cancellations - # - Reimbursements - # - Return items - # - Refunds - # - # However, it does not allow any modifications to be made to any of these - # resources. - class OrderDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :order - end - end - - def activate! - can [:read, :admin, :edit, :cart], Spree::Order - can [:read, :admin], Spree::Payment - can [:read, :admin], Spree::Shipment - can [:read, :admin], Spree::Adjustment - can [:read, :admin], Spree::LineItem - can [:read, :admin], Spree::ReturnAuthorization - can [:read, :admin], Spree::CustomerReturn - can [:read, :admin], Spree::OrderCancellations - can [:read, :admin], Spree::Reimbursement - can [:read, :admin], Spree::ReturnItem - can [:read, :admin], Spree::Refund - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/order_management.rb b/core/lib/spree/permission_sets/order_management.rb index 9b29cf7743d..72f6898b795 100644 --- a/core/lib/spree/permission_sets/order_management.rb +++ b/core/lib/spree/permission_sets/order_management.rb @@ -1,50 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for order management. - # - # This permission set grants full control over all order and related resources, - # including: - # - # - Orders - # - Payments - # - Shipments - # - Adjustments - # - Line items - # - Return authorizations - # - Customer returns - # - Order cancellations - # - Reimbursements - # - Return items - # - Refunds - # - # It also allows reading reimbursement types, but not modifying them. - class OrderManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :order - end - end - - def activate! - can :read, Spree::ReimbursementType - can :manage, Spree::Order - can :manage, Spree::Payment - can :manage, Spree::Shipment - can :manage, Spree::Adjustment - can :manage, Spree::LineItem - can :manage, Spree::ReturnAuthorization - can :manage, Spree::CustomerReturn - can :manage, Spree::OrderCancellations - can :manage, Spree::Reimbursement - can :manage, Spree::ReturnItem - can :manage, Spree::Refund - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/product_display.rb b/core/lib/spree/permission_sets/product_display.rb index d6d281bca60..72f6898b795 100644 --- a/core/lib/spree/permission_sets/product_display.rb +++ b/core/lib/spree/permission_sets/product_display.rb @@ -1,43 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for products. - # - # This permission set allows users to view all related information about - # products, also from the admin panel, including: - # - # - Products - # - Images - # - Variants - # - Option values - # - Product properties - # - Option types - # - Properties - # - Taxonomies - # - Taxons - class ProductDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :product - end - end - - def activate! - can [:read, :admin, :edit], Spree::Product - can [:read, :admin], Spree::Image - can [:read, :admin], Spree::Variant - can [:read, :admin], Spree::OptionValue - can [:read, :admin], Spree::ProductProperty - can [:read, :admin], Spree::OptionType - can [:read, :admin], Spree::Property - can [:read, :admin], Spree::Taxonomy - can [:read, :admin], Spree::Taxon - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/product_management.rb b/core/lib/spree/permission_sets/product_management.rb index c919eef3811..72f6898b795 100644 --- a/core/lib/spree/permission_sets/product_management.rb +++ b/core/lib/spree/permission_sets/product_management.rb @@ -1,47 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for product management. - # - # This permission set grants full control over all product and related resources, - # including: - # - # - Products - # - Images - # - Variants - # - Option values - # - Product properties - # - Option types - # - Properties - # - Taxonomies - # - Taxons - # - Classifications - # - Prices - class ProductManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :product - end - end - - def activate! - can :manage, Spree::Classification - can :manage, Spree::Image - can :manage, Spree::OptionType - can :manage, Spree::OptionValue - can :manage, Spree::Price - can :manage, Spree::Product - can :manage, Spree::ProductProperty - can :manage, Spree::Property - can :manage, Spree::Taxon - can :manage, Spree::Taxonomy - can :manage, Spree::Variant - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/restricted_stock_display.rb b/core/lib/spree/permission_sets/restricted_stock_display.rb index 9bb2137f12c..72f6898b795 100644 --- a/core/lib/spree/permission_sets/restricted_stock_display.rb +++ b/core/lib/spree/permission_sets/restricted_stock_display.rb @@ -1,33 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read permissions for stock limited to allowed locations. - # - # This permission set allows users to view information about stock items and - # locations, both of them limited to locations they have access to. - # Permissions are also granted for the admin panel for items. - class RestrictedStockDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :restricted_stock - end - end - - def activate! - can [:read, :admin], Spree::StockItem, stock_location_id: location_ids - can :read, Spree::StockLocation, id: location_ids - end - - private - - def location_ids - @ids ||= user.stock_locations.pluck(:id) - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/restricted_stock_management.rb b/core/lib/spree/permission_sets/restricted_stock_management.rb index 358f5bf9ab4..72f6898b795 100644 --- a/core/lib/spree/permission_sets/restricted_stock_management.rb +++ b/core/lib/spree/permission_sets/restricted_stock_management.rb @@ -1,33 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for stock management limited to allowed locations. - # - # This permission set grants full control over all stock items a user has - # access to their locations. Those locations are also readable by the - # corresponding ability. - class RestrictedStockManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :restricted_stock - end - end - - def activate! - can :manage, Spree::StockItem, stock_location_id: location_ids - can :read, Spree::StockLocation, id: location_ids - end - - private - - def location_ids - @ids ||= user.stock_locations.pluck(:id) - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/stock_display.rb b/core/lib/spree/permission_sets/stock_display.rb index a7b1ae0a104..72f6898b795 100644 --- a/core/lib/spree/permission_sets/stock_display.rb +++ b/core/lib/spree/permission_sets/stock_display.rb @@ -1,26 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for stock. - # - # This permission set allows users to view information about stock items - # (also from the admin panel) and stock locations. - class StockDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :stock - end - end - - def activate! - can [:read, :admin], Spree::StockItem - can :read, Spree::StockLocation - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/stock_management.rb b/core/lib/spree/permission_sets/stock_management.rb index c869a82d5e5..72f6898b795 100644 --- a/core/lib/spree/permission_sets/stock_management.rb +++ b/core/lib/spree/permission_sets/stock_management.rb @@ -1,26 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for stock management. - # - # This permission set grants full control over all stock items and read - # access to locations. - class StockManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :stock - end - end - - def activate! - can :manage, Spree::StockItem - can :read, Spree::StockLocation - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/super_user.rb b/core/lib/spree/permission_sets/super_user.rb index d2f1ff7e1bb..72f6898b795 100644 --- a/core/lib/spree/permission_sets/super_user.rb +++ b/core/lib/spree/permission_sets/super_user.rb @@ -1,26 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for store administration. - # - # This permission set is always added to users with the `:admin` role. - # - # It grants permission to perform any read or write action on any resource. - class SuperUser < PermissionSets::Base - class << self - def privilege - :other - end - - def category - :super_user - end - end - - def activate! - can :manage, :all - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/user_display.rb b/core/lib/spree/permission_sets/user_display.rb index 793b827207e..72f6898b795 100644 --- a/core/lib/spree/permission_sets/user_display.rb +++ b/core/lib/spree/permission_sets/user_display.rb @@ -1,27 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Read-only permissions for users, roles and store credits. - # - # This permission set allows users to view all related information about - # users, roles and store credits, also from the admin panel. - class UserDisplay < PermissionSets::Base - class << self - def privilege - :display - end - - def category - :user - end - end - - def activate! - can [:read, :admin, :edit, :addresses, :orders, :items], Spree.user_class - can [:read, :admin], Spree::StoreCredit - can :read, Spree::Role - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/lib/spree/permission_sets/user_management.rb b/core/lib/spree/permission_sets/user_management.rb index 2633204069d..72f6898b795 100644 --- a/core/lib/spree/permission_sets/user_management.rb +++ b/core/lib/spree/permission_sets/user_management.rb @@ -1,44 +1,7 @@ # frozen_string_literal: true -module Spree - module PermissionSets - # Full permissions for user management. - # - # This permission set grants full control over all user and - # related resources, including: - # - # - Users - # - Store credits - # - Roles - # - API keys - class UserManagement < PermissionSets::Base - class << self - def privilege - :management - end - - def category - :user - end - end - - def activate! - can [:admin, :read, :create, :update, :save_in_address_book, :remove_from_address_book, :addresses, :orders, :items], Spree.user_class - - # Note: This does not work with accessible_by. - # See https://github.com/solidusio/solidus/pull/1263 - can :update_email, Spree.user_class do |user| - user.spree_roles.none? - end - can :update_password, Spree.user_class do |user| - user.spree_roles.none? - end - - cannot :destroy, Spree.user_class - can :manage, Spree::StoreCredit - can :manage, :api_key - can :read, Spree::Role - end - end - end -end +Spree.deprecator.warn( + <<~MSG + The file "#{__FILE__}" does not need to be `require`d any longer, it is now autoloaded. + MSG +) diff --git a/core/spec/lib/spree/permission_sets/default_customer_spec.rb b/core/spec/lib/spree/permission_sets/default_customer_spec.rb deleted file mode 100644 index 1db965f3202..00000000000 --- a/core/spec/lib/spree/permission_sets/default_customer_spec.rb +++ /dev/null @@ -1,22 +0,0 @@ -# frozen_string_literal: true - -require 'rails_helper' - -RSpec.describe Spree::PermissionSets::DefaultCustomer do - context 'as Guest User' do - context 'for Order' do - context 'guest_token is empty string' do - let(:ability) { Spree::Ability.new(nil) } - let(:resource) { build(:order) } - let(:token) { '' } - - it 'should not be allowed to read or update the order' do - allow(resource).to receive_messages(guest_token: '') - - expect(ability).to_not be_able_to(:show, resource, token) - expect(ability).to_not be_able_to(:show, resource, token) - end - end - end - end -end diff --git a/core/spec/models/spree/permission_sets/default_customer_spec.rb b/core/spec/models/spree/permission_sets/default_customer_spec.rb index 7d9cf4a5480..49acd1b9ebc 100644 --- a/core/spec/models/spree/permission_sets/default_customer_spec.rb +++ b/core/spec/models/spree/permission_sets/default_customer_spec.rb @@ -15,4 +15,21 @@ expect(described_class.category).to eq(:default_customer) end end + + context 'as Guest User' do + context 'for Order' do + context 'guest_token is empty string' do + let(:ability) { Spree::Ability.new(nil) } + let(:resource) { build(:order) } + let(:token) { '' } + + it 'should not be allowed to read or update the order' do + allow(resource).to receive_messages(guest_token: '') + + expect(ability).to_not be_able_to(:show, resource, token) + expect(ability).to_not be_able_to(:show, resource, token) + end + end + end + end end