From 257441c9be4c4b384c175fa35b1459a625fe24f8 Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Fri, 20 May 2016 16:26:54 +1000
Subject: [PATCH] Re-add object-level auth to Spree::Admin::ResourceController

---
 .../spree/admin/resource_controller_decorator.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 app/controllers/spree/admin/resource_controller_decorator.rb

diff --git a/app/controllers/spree/admin/resource_controller_decorator.rb b/app/controllers/spree/admin/resource_controller_decorator.rb
new file mode 100644
index 0000000000..cb789d7330
--- /dev/null
+++ b/app/controllers/spree/admin/resource_controller_decorator.rb
@@ -0,0 +1,16 @@
+module AuthorizeOnLoadResource
+  def load_resource
+    super
+
+    if member_action?
+      # If we don't have access, clear the object
+      unless can? action, @object
+        instance_variable_set("@#{object_name}", nil)
+      end
+
+      authorize! action, @object
+    end
+  end
+end
+
+Spree::Admin::ResourceController.send(:prepend, AuthorizeOnLoadResource)