Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Correct permission scoping in load_product method in Spree::ProductsC…

…ontroller
  • Loading branch information...
commit 8261973cd4d7ff215f84bb3b717638893a881c44 1 parent 2812b0a
@radar radar authored
View
6 core/app/controllers/spree/products_controller.rb
@@ -34,7 +34,11 @@ def accurate_title
end
def load_product
- @product = Product.active.find_by_permalink!(params[:id])
+ if respond_to?(:spree_current_user) && spree_current_user.has_spree_role?("admin")
+ @product = Product.find_by_permalink!(params[:id])
+ else
+ @product = Product.active.find_by_permalink!(params[:id])
+ end
end
end
end
View
3  core/spec/controllers/spree/products_controller_spec.rb
@@ -2,9 +2,10 @@
describe Spree::ProductsController do
let!(:product) { create(:product, :available_on => 1.year.from_now) }
+
# Regression test for #1390
it "allows admins to view non-active products" do
- controller.stub :current_user => stub(:has_role? => true)
+ controller.stub :spree_current_user => stub(:has_spree_role? => true)
get :show, :id => product.to_param
response.status.should == 200
end
Please sign in to comment.
Something went wrong with that request. Please try again.