Enterprise user can only update order cycle exchanges where it manages the participant enterprise

2026-01-24 20:36:49 +00:00 · 2014-05-23 12:05:46 +10:00
parent 9b15c213d1
commit 095b9bf67a
2 changed files with 49 additions and 16 deletions
--- a/lib/open_food_network/order_cycle_form_applicator.rb
+++ b/lib/open_food_network/order_cycle_form_applicator.rb
@@ -64,9 +64,11 @@ module OpenFoodNetwork

    def update_exchange(sender_id, receiver_id, incoming, attrs={})
      exchange = @order_cycle.exchanges.where(:sender_id => sender_id, :receiver_id => receiver_id, :incoming => incoming).first
-      exchange.update_attributes!(attrs)

-      @touched_exchanges << exchange
+      if permission_for(exchange)
+        exchange.update_attributes!(attrs)
+        @touched_exchanges << exchange
+      end
    end

    def destroy_untouched_exchanges
@@ -79,7 +81,11 @@ module OpenFoodNetwork
    end

    def with_permission(exchanges)
-      exchanges.select { |ex| @permitted_enterprises.include? ex.participant }
+      exchanges.select { |ex| permission_for(ex) }
+    end
+
+    def permission_for(exchange)
+      @permitted_enterprises.include? exchange.participant
    end


--- a/spec/lib/open_food_network/order_cycle_form_applicator_spec.rb
+++ b/spec/lib/open_food_network/order_cycle_form_applicator_spec.rb
@@ -136,20 +136,31 @@ module OpenFoodNetwork
      end

      describe "filtering exchanges for permission" do
-        it "returns exchanges involving enterprises we have permission to touch" do
-          e = double(:enterprise)
-          ex = double(:exchange, participant: e)
+        describe "checking permission on a single exchange" do
+          it "returns true when it has permission" do
+            e = double(:enterprise)
+            ex = double(:exchange, participant: e)

-          applicator = OrderCycleFormApplicator.new(nil, [e])
-          applicator.send(:with_permission, [ex]).should == [ex]
+            applicator = OrderCycleFormApplicator.new(nil, [e])
+            applicator.send(:permission_for, ex).should be_true
+          end
+
+          it "returns false otherwise" do
+            e = double(:enterprise)
+            ex = double(:exchange, participant: e)
+
+            applicator = OrderCycleFormApplicator.new(nil, [])
+            applicator.send(:permission_for, ex).should be_false
+          end
        end

-        it "does not return other exchanges" do
-          e = double(:enterprise)
-          ex = double(:exchange, participant: e)
-
-          applicator = OrderCycleFormApplicator.new(nil, [])
-          applicator.send(:with_permission, [ex]).should == []
+        describe "filtering many exchanges" do
+          it "returns exchanges involving enterprises we have permission to touch" do
+            ex1, ex2 = double(:exchange), double(:exchange)
+            applicator = OrderCycleFormApplicator.new(nil, [])
+            applicator.stub(:permission_for).and_return(true, false)
+            applicator.send(:with_permission, [ex1, ex2]).should == [ex1]
+          end
        end
      end
    end
@@ -197,10 +208,11 @@ module OpenFoodNetwork
      end

      it "updates exchanges" do
-        oc = FactoryGirl.create(:simple_order_cycle)
-        applicator = OrderCycleFormApplicator.new(oc)
        sender = FactoryGirl.create(:enterprise)
        receiver = FactoryGirl.create(:enterprise)
+        oc = FactoryGirl.create(:simple_order_cycle)
+        applicator = OrderCycleFormApplicator.new(oc, [sender, receiver])
+
        incoming = true
        variant1 = FactoryGirl.create(:variant)
        variant2 = FactoryGirl.create(:variant)
@@ -219,6 +231,21 @@ module OpenFoodNetwork
        exchange.enterprise_fees.sort.should == [enterprise_fee2, enterprise_fee3]
        applicator.send(:touched_exchanges).should == [exchange]
      end
+
+      it "does not update exchanges it is not permitted to touch" do
+        sender = FactoryGirl.create(:enterprise)
+        receiver = FactoryGirl.create(:enterprise)
+        oc = FactoryGirl.create(:simple_order_cycle)
+        applicator = OrderCycleFormApplicator.new(oc, [])
+        incoming = true
+        exchange = FactoryGirl.create(:exchange, order_cycle: oc, sender: sender, receiver: receiver, incoming: incoming)
+        variant1 = FactoryGirl.create(:variant)
+
+        applicator.send(:touched_exchanges=, [])
+        applicator.send(:update_exchange, sender.id, receiver.id, incoming, {:variant_ids => [variant1.id]})
+
+        exchange.variants.should_not == [variant1]
+      end
    end
  end
 end