Merge pull request #14113 from gbathree/13817-fix-guest-order-cancellation

Fix guest order cancellation redirecting to home page
2026-04-05 07:19:14 +00:00 · 2026-04-04 21:42:44 +05:00
parent ec24740c3b cc608adddc
commit e4e7ef395b
3 changed files with 28 additions and 4 deletions
--- a/app/controllers/spree/orders_controller.rb
+++ b/app/controllers/spree/orders_controller.rb
@@ -107,7 +107,7 @@ module Spree

    def cancel
      @order = Spree::Order.find_by!(number: params[:id])
-      authorize! :cancel, @order
+      authorize! :cancel, @order, session[:access_token]

      if Orders::CustomerCancellationService.new(@order).call
        flash[:success] = I18n.t(:orders_your_order_has_been_cancelled)
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -113,7 +113,11 @@ module Spree
          item.order.changes_allowed?
      end

-      can [:cancel, :bulk_cancel], Spree::Order do |order|
+      can :cancel, Spree::Order do |order, token|
+        order.user == user || (order.token && token == order.token)
+      end
+
+      can :bulk_cancel, Spree::Order do |order|
        order.user == user
      end

--- a/spec/controllers/spree/orders_controller_spec.rb
+++ b/spec/controllers/spree/orders_controller_spec.rb
@@ -461,14 +461,34 @@ RSpec.describe Spree::OrdersController do
      end
    end

+    context "when a guest user has the order token in session" do
+      let(:order) {
+        create(:completed_order_with_totals, user: nil, email: "guest@example.com",
+                                             distributor: create(:distributor_enterprise))
+      }
+
+      before do
+        allow(controller).to receive(:spree_current_user) { nil }
+        session[:access_token] = order.token
+      end
+
+      it "cancels the order and redirects to the order page" do
+        request.env['HTTP_REFERER'] = order_path(order)
+        spree_put :cancel, params
+
+        expect(response.body).to match(order_path(order)).and match("redirect")
+        expect(flash[:success]).to eq 'Your order has been cancelled'
+      end
+    end
+
    context "when the user has permission to cancel the order" do
      before { allow(controller).to receive(:spree_current_user) { user } }

      context "when the order is not yet complete" do
        it "responds with forbidden" do
+          request.env['HTTP_REFERER'] = order_path(order)
          spree_put :cancel, params

-          expect(response).to have_http_status(:found)
          expect(response.body).to match(order_path(order)).and match("redirect")
          expect(flash[:error]).to eq 'Sorry, the order could not be cancelled'
        end
@@ -481,9 +501,9 @@ RSpec.describe Spree::OrdersController do
        }

        it "responds with success" do
+          request.env['HTTP_REFERER'] = order_path(order)
          spree_put :cancel, params

-          expect(response).to have_http_status(:found)
          expect(response.body).to match(order_path(order)).and match("redirect")
          expect(flash[:success]).to eq 'Your order has been cancelled'
        end