Finish up subscriptions permissions for users / groups. Close #74.

app/models/ability.rb

@@ -104,7 +104,11 @@ def user_abilities(user)
 
     #Subscriptions
     #Only the owning group or user can manage screen subscriptions
-    can :manage, Subscription, :screen => { :owner_id => user.id}
+    can :manage, Subscription, :screen => { :owner_id => user.id, :owner_type => 'User'}
+    can :manage, Subscription do |subscription|
+      screen = subscription.screen
+      screen.owner.is_a?(Group) && screen.owner.leaders.include?(user)
+    end
 
     # Users can read group screens
     can :read, Screen do |screen|

test/unit/abilities/user/subscription_test.rb

@@ -0,0 +1,41 @@
+require 'test_helper'
+
+class UserSubscriptionAbilityTest < ActiveSupport::TestCase
+  def setup
+    @katie = users(:katie)
+    @kristen = users(:kristen)
+    @feed = feeds(:service)
+    @kt_screen = screens(:one)
+    @wtg_screen = screens(:two)
+    @subscription = Subscription.new(:feed => @feed)
+  end
+
+  test "Screen user owner all access" do
+    abilities = [:update, :delete, :read]
+    ability = Ability.new(@katie)
+    @subscription.screen = @kt_screen
+    abilities.each do |action|
+      assert ability.can?(action, @subscription)
+    end
+
+    ability = Ability.new(@kristen)
+    abilities.each do |action|
+      assert ability.cannot?(action, @subscription)
+    end
+  end
+
+  test "Screen group owner all access" do
+    abilities = [:update, :delete, :read]
+    ability = Ability.new(@katie)
+    @subscription.screen = @wtg_screen
+    abilities.each do |action|
+      assert ability.can?(action, @subscription)
+    end
+
+    ability = Ability.new(@kristen)
+    abilities.each do |action|
+      assert ability.cannot?(action, @subscription)
+    end
+  end
+end
+