When a guest places an order and tries to cancel it from the order
confirmation page, the cancellation silently failed and redirected
to the home page. The guest was left unsure whether the order was
cancelled, and the hub received no cancellation notification.
Root cause: two missing pieces for guest (token-based) authorization:
1. The `:cancel` ability in Ability#add_shopping_abilities only checked
`order.user == user`, ignoring the guest token. The `:read` and
`:update` abilities already support `order.token && token == order.token`
as a fallback — `:cancel` now does the same.
2. The `cancel` action called `authorize! :cancel, @order` without
passing `session[:access_token]`, so even with the corrected ability
the token was never evaluated.
Fixes#13817
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Enterprise have access to the internal payment method by default.
The access is handled at the application level so we don't have to
manage database links.
It's now called as a before transition callback when the order move to
payment. We need to apply the credit at this point to account for
order fees, ie: shippment fees.
Rails renders an error when you try to supply an invalid value. Our code
is safe without an allow-list and the UX doesn't allow you to select an
invalid value.
There were a few changes needed:
* Plugins are now specified through `plugin:` config keyword.
* All plugin gems need to be specified explicitly in Gemfile since they
are no longer dependencies of plugins already specified explicitly.
* All plugin gems need to be updated in other to use the new APIs.
* One cop was renamed.
* New offenses safe to correct were corrected directly with `bundle exec
rubocop -a`.
* New offenses unsafe to correct were added to the TODO configuration
with `bundle exec rubocop --auto-gen-config --auto-gen-only-exclude
--exclude-limit 1400 --no-auto-gen-timestamp`.
TagRuleController is now a subclass of Spree::Admin::BaseController
because Admin::ResourceController did not play well with turbo_stream.
And to be honest we did not need all the functionality provided by the
ResourceController
I removed the caching of `managed_enterprises` in Permissions because
it's just a scope and calling it again is very cheap. And that makes the
method a lot easier to read now that we have a conditional here.
Accessing the managed enterprises via the user instead of a separate
scope on the Enterprise model also reduce the SQL queries. We may want
to use this method in more places. I prefer to keep the
admin-conditional in a permissions class instead of in the model.
