Fix guest order cancellation redirecting to home page

When a guest places an order and tries to cancel it from the order confirmation page, the cancellation silently failed and redirected to the home page. The guest was left unsure whether the order was cancelled, and the hub received no cancellation notification. Root cause: two missing pieces for guest (token-based) authorization: 1. The `:cancel` ability in Ability#add_shopping_abilities only checked `order.user == user`, ignoring the guest token. The `:read` and `:update` abilities already support `order.token && token == order.token` as a fallback — `:cancel` now does the same. 2. The `cancel` action called `authorize! :cancel, @order` without passing `session[:access_token]`, so even with the corrected ability the token was never evaluated. Fixes #13817 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 07:29:16 +00:00 · 2026-03-27 09:05:47 -04:00
parent 79c346acb1
commit c72976b1e2
3 changed files with 26 additions and 2 deletions
--- a/app/controllers/spree/orders_controller.rb
+++ b/app/controllers/spree/orders_controller.rb
@@ -107,7 +107,7 @@ module Spree

    def cancel
      @order = Spree::Order.find_by!(number: params[:id])
-      authorize! :cancel, @order
+      authorize! :cancel, @order, session[:access_token]

      if Orders::CustomerCancellationService.new(@order).call
        flash[:success] = I18n.t(:orders_your_order_has_been_cancelled)