config/spree_permissions.yml in spree-0.7.1 vs config/spree_permissions.yml in spree-0.8.0
- old
+ new
@@ -51,14 +51,17 @@
permission1:
roles : [admin]
options :
except : [new, create]
unless : "current_user.id == object.id"
-# Users can only see their own orders
'OrdersController':
permission1:
+ roles : [user]
+ options :
+ for : [checkout]
+ unless : "Spree::Config[:allow_guest_checkout]"
+ permission2:
+ # Users can only see their own orders
roles : [admin]
options :
- except : [new, create]
- unless : "object.user_id == nil || current_user.id == object.user_id"
-
-# TODO - restrict orders
+ except : [new, create, cvv]
+ unless : can_access? #orders_controller may grant access based on presence of token, etc.
\ No newline at end of file