Add some more permissions for default and order management permission…

… set

Appraisals

@@ -1,11 +1,19 @@
 appraise "spree-3-2" do
   gem "spree", "~> 3.2.0"
+  gem "spree_auth_devise", "~> 3.2.0"
 end
 
 appraise "spree-3-3" do
   gem "spree", "~> 3.3.0"
+  gem "spree_auth_devise", "~> 3.3.0"
 end
 
 appraise "spree-3-4" do
   gem "spree", '~> 3.4.0'
+  gem 'spree_auth_devise', github: 'spree/spree_auth_devise', branch: 'master'
+end
+
+appraise 'spree-master' do
+  gem 'spree', github: 'spree/spree', branch: 'master'
+  gem 'spree_auth_devise', github: 'spree/spree_auth_devise', branch: 'master'
 end

app/models/spree/permissions_permission_set.rb

@@ -1,6 +1,6 @@
 module Spree
   class PermissionsPermissionSet < ActiveRecord::Base
     belongs_to :permission
-    belongs_to :permission_set
+    belongs_to :permission_set, touch: true
   end
 end

config/locales/en.yml

@@ -3,31 +3,31 @@
 
 en:
   spree:
-    new_role: "New Role"
-    edit_role: "Edit Role"
-    listing_roles: "Listing Roles"
-    roles: "Roles"
-    role_name: "Name"
-    role_editable: "Editable"
-    role_is_default: "Is default"
-    role_is_default_help: "Roles marked as default are applicable to all users who have no explicit roles assigned"
-    role_admin_accessible_help: "Roles marked as admin accessible indicate that the user has access to admin interface via the role"
-    permissions: "Permissions"
-    save_changes: "Save Changes"
-    new_permission: "New Permission"
-    permission_set_name: "Name"
-    permission_set_description: "Description"
-    permission_set_display_permission: "Display Permission"
-    permission_set_permissions: "Permissions"
-    permission_title: "Title"
-    permission_priority: "Priority"
-    permission_priority_help: "Set the order of permission in list, with 0 being the highest priority"
-    permission_visible: "Visible"
-    permission_visible_help: "Mark permission as publically visible to other users managing permissions"
-    select_permissions: "Select Permissions"
-    select_permission_sets: "Select Permission Sets"
-    atleast_one_permission_is_required: "Atleast One Permission Is Required"
-    atleast_one_permission_set_is_required: "Atleast One Permission Set Is Required"
-    permission_set_display_permission_help: "Set it to indicate that permission set provides permissions for display purposed only"
-    permission_set_admin_permission_required: "Ensure that the appropriate admin permission is included along with the resource permission if the user needs to access the admin interface"
+    new_role: New Role
+    edit_role: Edit Role
+    listing_roles: Listing Roles
+    roles: Roles
+    role_name: Name
+    role_editable: Editable
+    role_is_default: Is default
+    role_is_default_help: Roles marked as default are applicable to all users who have no explicit roles assigned
+    role_admin_accessible_help: Roles marked as admin accessible indicate that the user has access to admin interface via the role
+    permissions: Permissions
+    save_changes: Save Changes
+    new_permission: New Permission
+    permission_set_name: Name
+    permission_set_description: Description
+    permission_set_display_permission: Display Permission
+    permission_set_permissions: Permissions
+    permission_title: Title
+    permission_priority: Priority
+    permission_priority_help: Set the order of permission in list, with 0 being the highest priority
+    permission_visible: Visible
+    permission_visible_help: Mark permission as publically visible to other users managing permissions
+    select_permissions: Select Permissions
+    select_permission_sets: Select Permission Sets
+    atleast_one_permission_is_required: Atleast One Permission Is Required
+    atleast_one_permission_set_is_required: Atleast One Permission Set Is Required
+    permission_set_display_permission_help: Set it to indicate that permission set provides permissions for display purposed only
+    permission_set_admin_permission_required: Ensure that the appropriate admin permission is included along with the resource permission if the user needs to access the admin interface
     unable_to_access_requested_resource: "You do not have access to the requested resource at %{request_path}"

gemfiles/spree_3_4.gemfile

@@ -3,5 +3,6 @@
 source "https://rubygems.org"
 
 gem "spree", "~> 3.4.0"
+gem "spree_auth_devise", github: "spree/spree_auth_devise", branch: "master"
 
 gemspec path: "../"

gemfiles/spree_master.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "spree", github: "spree/spree", branch: "master"
+gem "spree_auth_devise", github: "spree/spree_auth_devise", branch: "master"
+
+gemspec path: "../"

lib/spree/permissions.rb

@@ -24,6 +24,14 @@ def method_missing(name, *args, &block)
 
       current_ability.can :create, Spree::Order
 
+      current_ability.can :read, Spree::Order, [] do |order, token|
+        order.user == user || (order.guest_token && token == order.guest_token)
+      end
+
+      current_ability.can :update, Spree::Order do |order, token|
+        !order.completed? && (order.user == user || order.guest_token && token == order.guest_token)
+      end
+
       current_ability.can :read, Spree::Address do |address|
         address.user == user
       end
@@ -38,7 +46,7 @@ def method_missing(name, *args, &block)
 
     define_method('can-update-spree/users') do |current_ability, user|
       current_ability.can :update, Spree.user_class
-      # The permission of cannot update role_ids was given to user so that no onw with this permission can change role of user.
+      # The permission of cannot update role_ids was given to user so that no one with this permission can change role of user.
       current_ability.cannot :update, Spree.user_class, :role_ids
     end
 
@@ -47,13 +55,21 @@ def method_missing(name, *args, &block)
       current_ability.cannot :create, Spree.user_class, :role_ids
     end
 
+    define_method('can-manage-spree/config') do |current_ability, user|
+      current_ability.can :manage, Spree::Config
+    end
+
+    define_method('can-admin-spree/config') do |current_ability, user|
+      current_ability.can :admin, Spree::Config
+    end
+
     private
       def find_action_and_subject(name)
         can, action, subject, attribute = name.to_s.split('-')
 
         if subject == 'all'
           return can.to_sym, action.to_sym, subject.to_sym, attribute.try(:to_sym)
-        elsif (subject_class = subject.classify.safe_constantize) && subject_class.respond_to?(:ancestors) && subject_class.ancestors.include?(ActiveRecord::Base)
+        elsif (subject_class = subject.classify.safe_constantize) && subject_class.respond_to?(:ancestors)
           return can.to_sym, action.to_sym, subject_class, attribute.try(:to_sym)
         else
           return can.to_sym, action.to_sym, subject, attribute.try(:to_sym)

lib/tasks/populate.rake

@@ -117,15 +117,6 @@ namespace :spree_roles do
       group
     end
 
-    def admin_controller?(controller_name)
-      return false unless controller_name
-      controller_name.include?('/admin/') && !controller_name.include?('/api/')
-    end
-
-    def permission_name(controller, action)
-      "#{ permission_prefix_from_name(action.to_sym) }-#{ controller.gsub('/admin','') }"
-    end
-
     def add_to_permission_set(permission_set, permissions)
       permissions.each do |permission|
         unless permission_set.permissions.include? permission
@@ -183,8 +174,10 @@ namespace :spree_roles do
 
       admin_general_settings_admin = make_permission('can-admin-spree/admin/general_settings', 3)
       admin_general_settings_manage = make_permission('can-manage-spree/admin/general_settings', 3)
+      spree_config_admin = make_permission('can-admin-spree/config', 3)
+      spree_config_manage = make_permission('can-manage-spree/config', 3)
 
-      add_to_permission_set(config_management, [admin_general_settings_admin, admin_general_settings_manage])
+      add_to_permission_set(config_management, [admin_general_settings_admin, admin_general_settings_manage, spree_config_admin, spree_config_manage])
 
       order_display =
         make_grouped_permission_set(
@@ -219,7 +212,10 @@ namespace :spree_roles do
       order_mgmt = make_grouped_permission_set(
         build_permission_group(
           [
+            [:admin, :read], Spree::Product,
+            [:admin, :read], Spree::Variant,
             [:admin, :read], Spree::ReimbursementType,
+            [:admin, :read, :edit, :new], Spree::User,
             [:admin, :manage], Spree::Order,
             [:admin, :manage], Spree::Payment,
             [:admin, :manage], Spree::Shipment,
@@ -229,7 +225,9 @@ namespace :spree_roles do
             [:admin, :manage], Spree::CustomerReturn,
             [:admin, :manage], Spree::Reimbursement,
             [:admin, :manage], Spree::ReturnItem,
-            [:admin, :manage], Spree::Refund
+            [:admin, :manage], Spree::Refund,
+            [:admin, :manage], Spree::StateChange,
+            [:admin, :manage], Spree::LogEntry
           ]
         ),
         "Order Management",
@@ -310,6 +308,7 @@ namespace :spree_roles do
         build_permission_group(
           [
             [:admin], Spree::Store,
+            [:manage, :admin], Spree::Stock,
             [:manage, :admin], Spree::StockItem,
             [:manage, :admin], Spree::StockLocation,
             [:admin, :manage], Spree::StockMovement,

spree_admin_roles_and_access.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |s|
   s.require_path = 'lib'
   s.requirements << 'none'
 
-  spree_version = '>= 3.0.0', '< 4.0.0'
+  spree_version = '>= 3.2.0', '< 4.0.0'
 
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_auth_devise'