raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-04-06 07:29:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c72976b1e22e4b91a67df6f5ea4db7870e2da97e
openfoodnetwork/app/models
History
Greg Austic c72976b1e2 Fix guest order cancellation redirecting to home page 
When a guest places an order and tries to cancel it from the order
confirmation page, the cancellation silently failed and redirected
to the home page. The guest was left unsure whether the order was
cancelled, and the hub received no cancellation notification.

Root cause: two missing pieces for guest (token-based) authorization:

1. The `:cancel` ability in Ability#add_shopping_abilities only checked
   `order.user == user`, ignoring the guest token. The `:read` and
   `:update` abilities already support `order.token && token == order.token`
   as a fallback — `:cancel` now does the same.

2. The `cancel` action called `authorize! :cancel, @order` without
   passing `session[:access_token]`, so even with the corrected ability
   the token was never evaluated.

Fixes #13817

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 09:05:47 -04:00
..
calculator
Replace Bugsnag calls with Alert.raise
2024-11-21 15:58:55 +11:00
concerns
Merge pull request #13746 from rioug/security-255-code-injection
2025-11-24 12:01:44 +11:00
connected_apps
Add encryption for ConnectedApps::Vine#data
2024-10-07 15:09:58 +11:00
invoice
Use display_name and display_description for payment method
2026-03-10 16:07:42 +11:00
preference_sections
Use rubocop auto correct to add frozen string literal to all files
2021-06-17 23:07:26 +01:00
product_import
Allow managing inventory and variant tag at the same time
2025-12-12 12:38:22 +11:00
spree
Fix guest order cancellation redirecting to home page
2026-03-27 09:05:47 -04:00
tag_rule
Add tag rule to filter by variant
2025-11-03 14:25:05 +11:00
vouchers
Fix unique validator for vouche code
2024-11-28 13:35:01 +01:00
.gitkeep
adjustment_metadata.rb
Remove now superfluous belongs_to default declaration
2023-08-11 10:14:47 +10:00
application_record.rb
Add a new cloud storage configuration for s3-compatible alternatives
2026-01-08 13:08:09 +00:00
column_preference.rb
11200: rename products scope
2024-09-11 11:54:38 +05:00
connected_app.rb
Add Vine connected app
2024-09-24 10:43:55 +10:00
content_configuration.rb
Fixes Rubocop HeredocDelimiterNaming offense
2025-04-28 09:47:55 +02:00
coordinator_fee.rb
Remove now superfluous belongs_to default declaration
2023-08-11 10:14:47 +10:00
current_config.rb
Wrap commonly-repeated calls to Spree::Config to reduce unnecessary cache reads
2024-03-26 13:39:16 +00:00
custom_tab.rb
Remove redundant HTML sanitisation
2024-10-24 08:47:11 +11:00
customer_account_transaction.rb
Remove payment method from customer account transaction
2026-03-10 16:07:43 +11:00
customer.rb
Add CustomerAccountTransactions::DataLoaderService
2026-03-10 16:07:41 +11:00
dfc_permission.rb
Add DfcPermission model to persist granted scopes
2025-08-08 14:00:38 +10:00
distributor_payment_method.rb
Remove now superfluous belongs_to default declaration
2023-08-11 10:14:47 +10:00
distributor_shipping_method.rb
Remove now superfluous belongs_to default declaration
2023-08-11 10:14:47 +10:00
enterprise_fee_adjustments.rb
Refactor total method to use sum instead of reduce
2024-01-29 14:12:28 +11:00
enterprise_fee.rb
Refactor EnterpriseFee.clear_all_adjustments
2025-04-01 13:46:34 +11:00
enterprise_group.rb
Upgraded gem active_storage_validations from 1.1.2 to 3.0.2 and fixed any upgrade related issues
2025-12-08 22:12:01 +05:30
enterprise_relationship_permission.rb
Remove now superfluous belongs_to default declaration
2023-08-11 10:14:47 +10:00
enterprise_relationship.rb
Fix EnterpriseRelationship
2024-07-03 10:17:49 +10:00
enterprise_role.rb
Remove now superfluous belongs_to default declaration
2023-08-11 10:14:47 +10:00
enterprise.rb
Remove the link between enterprise and internal payment method
2026-03-10 16:07:43 +11:00
exchange_fee.rb
Declare old belongs_to default on remaining models
2023-08-11 10:14:43 +10:00
exchange_variant.rb
Fix Style/HashSyntax
2023-09-12 23:19:05 +09:00
exchange.rb
Replace has_spree_role? with simpler admin?
2024-12-19 09:19:01 +11:00
inventory_item.rb
Fix RedundantPresenceValidationOnBelongs on some files
2024-04-22 17:36:47 +02:00
invoice.rb
Fix Rails 7.2 serialize deprecation warnings
2026-02-19 21:55:13 +00:00
oidc_account.rb
Comment on rare upsert usage
2024-02-22 10:15:07 +11:00
order_balance.rb
Per review, small code fixes
2026-03-10 16:07:43 +11:00
order_cycle_schedule.rb
Require associations on join model
2023-09-04 17:07:07 +10:00
order_cycle.rb
Move the inventory feature check to ScopeVariantToHub
2025-07-09 13:43:12 +10:00
producer_property.rb
Fix Style/HashSyntax
2023-09-12 23:19:05 +09:00
proxy_order.rb
Repair ProxyOrder to support order cycle without closing time
2026-02-27 14:36:20 +01:00
report_blob.rb
Create observable reports blob early
2024-08-16 14:37:57 +10:00
report_rendering_options.rb
Fix Rails 7.2 serialize deprecation warnings
2026-02-19 21:55:13 +00:00
schedule.rb
Fix FixRailsWhereEquals
2024-04-09 10:44:02 +02:00
semantic_link.rb
Switch SemanticLink to use new association
2024-11-19 15:53:58 +11:00
stripe_account.rb
Replace Bugsnag calls with Alert.raise
2024-11-21 15:58:55 +11:00
subscription_line_item.rb
Requested changes
2025-03-26 19:44:08 +01:00
subscription.rb
Replace alias_attribute with alias_method
2025-10-31 14:26:33 +01:00
tag_rule.rb
Fix variant tag rules endpoint
2025-11-03 15:50:12 +11:00
terms_of_service_file.rb
hide agree to the ToS when not ToS file is set
2023-08-22 10:22:26 +01:00
variant_link.rb
Remove touch
2026-03-11 11:09:12 +11:00
variant_override.rb
Remove unnecessary error creation
2024-11-21 15:58:56 +11:00
voucher.rb
Move Vine voucher to Vouchers::Vine
2024-11-28 13:35:01 +01:00
webhook_endpoint.rb
Fix existing code to support webhook_type
2025-12-10 10:28:11 +11:00