hide customer info on bulk orders page

2026-02-02 21:57:17 +00:00 · 2025-04-13 21:28:14 +05:00
parent 4e2198cd4f
commit 213209b460
6 changed files with 103 additions and 6 deletions
--- a/app/controllers/api/v0/orders_controller.rb
+++ b/app/controllers/api/v0/orders_controller.rb
@@ -67,7 +67,8 @@ module Api
      def serialized_orders(orders)
        ActiveModel::ArraySerializer.new(
          orders,
-          each_serializer: Api::Admin::OrderSerializer
+          each_serializer: Api::Admin::OrderSerializer,
+          current_user: current_api_user
        )
      end

--- a/app/helpers/spree/admin/orders_helper.rb
+++ b/app/helpers/spree/admin/orders_helper.rb
@@ -162,7 +162,7 @@ module Spree
      def display_value_for_producer(order, value)
        return value unless filter_by_supplier?(order)

-        order.distributor&.show_customer_names_to_suppliers ? value : t("admin.reports.hidden")
+        order.distributor&.show_customer_names_to_suppliers ? value : t("admin.reports.hidden_field")
      end
    end
  end
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -369,6 +369,9 @@ module Spree
      can [:index, :create, :add, :read, :edit, :update], Spree::Shipment do |shipment|
        can_edit_order(shipment.order, user)
      end
+      can [:admin, :index], OrderCycle do |order_cycle|
+        can_edit_order(order_cycle.order, user)
+      end
      can [:visible], Enterprise
    end

--- a/app/serializers/api/admin/order_serializer.rb
+++ b/app/serializers/api/admin/order_serializer.rb
@@ -15,8 +15,14 @@ module Api
      has_one :distributor, serializer: Api::Admin::IdSerializer
      has_one :order_cycle, serializer: Api::Admin::IdSerializer

+      def full_name_for_sorting
+        value = [last_name, first_name].compact_blank.join(", ")
+        display_value_for_producer(object, value)
+      end
+
      def full_name
-        object.billing_address.nil? ? "" : ( object.billing_address.full_name || "" )
+        value = object.billing_address.nil? ? "" : ( object.billing_address.full_name || "" )
+        display_value_for_producer(object, value)
      end

      def first_name
@@ -65,11 +71,12 @@ module Api
      end

      def email
-        object.email || ""
+        display_value_for_producer(object, object.email || "")
      end

      def phone
-        object.billing_address.nil? ? "a" : ( object.billing_address.phone || "" )
+        value = object.billing_address.nil? ? "a" : ( object.billing_address.phone || "" )
+        display_value_for_producer(object, value)
      end

      def created_at
@@ -93,6 +100,16 @@ module Api
      def spree_routes_helper
        Spree::Core::Engine.routes.url_helpers
      end
+
+      def display_value_for_producer(order, value)
+        filter_by_supplier = (
+          order.distributor&.enable_producers_to_edit_orders &&
+          options[:current_user]&.can_manage_line_items_in_orders_only?
+        )
+        return value unless filter_by_supplier
+
+        order.distributor&.show_customer_names_to_suppliers ? value : I18n.t("admin.reports.hidden_field")
+      end
    end
  end
 end
--- a/spec/system/admin/orders/producer_actions_spec.rb
+++ b/spec/system/admin/orders/producer_actions_spec.rb
@@ -63,7 +63,7 @@ RSpec.describe 'As a producer who have the ability to update orders' do
            within('#listing_orders tbody') do
              expect(page).to have_selector('tr', count: 1) # Only one order
              # One for Email, one for Name
-              expect(page).to have_selector('td', text: 'HIDDEN', count: 2)
+              expect(page).to have_selector('td', text: '< Hidden >', count: 2)
            end
          end
        end
--- a/spec/system/admin/producer_bulk_order_management.rb
+++ b/spec/system/admin/producer_bulk_order_management.rb
@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'system_helper'
+
+RSpec.describe 'As a producer who have the ability to update orders' do
+  include AdminHelper
+  include AuthenticationHelper
+  include WebHelper
+
+  let!(:supplier1) { create(:supplier_enterprise, name: 'My supplier1') }
+  let!(:supplier2) { create(:supplier_enterprise, name: 'My supplier2') }
+  let!(:supplier1_v1) { create(:variant, supplier_id: supplier1.id) }
+  let!(:supplier1_v2) { create(:variant, supplier_id: supplier1.id) }
+  let!(:supplier2_v1) { create(:variant, supplier_id: supplier2.id) }
+  let(:order_cycle) do
+    create(:simple_order_cycle, distributors: [distributor], variants: [supplier1_v1, supplier1_v2])
+  end
+  let!(:order_containing_supplier1_products) do
+    o = create(
+      :completed_order_with_totals,
+      distributor:, order_cycle:,
+      user: supplier1_ent_user, line_items_count: 1
+    )
+    o.line_items.first.update_columns(variant_id: supplier1_v1.id)
+    o
+  end
+
+  let(:supplier1_ent_user) { create(:user, enterprises: [supplier1]) }
+
+  context "As supplier1 enterprise user" do
+    before { login_as(supplier1_ent_user) }
+    let(:order) { order_containing_supplier1_products }
+    let(:user) { supplier1_ent_user }
+
+    describe 'bulk orders index page' do
+      before { visit spree.admin_bulk_order_management_path }
+
+      context "when no distributor allow the producer to edit orders" do
+        let(:distributor) { create(:distributor_enterprise) }
+
+        it "should not allow producer to view orders page" do
+          expect(page).to have_content 'Unauthorized'
+        end
+      end
+
+      context "when distributor allows the producer to edit orders" do
+        let(:distributor) { create(:distributor_enterprise, enable_producers_to_edit_orders: true) }
+
+        context "when distributor doesn't allow to view customer details" do
+          it "should allow producer to view bulk orders page with HIDDEN customer details" do
+            within('tbody') do
+              expect(page).to have_selector('tr', count: 1)
+              expect(page).to have_selector('td', text: '< Hidden >', count: 1)
+            end
+          end
+        end
+
+        context "when distributor allows to view customer details" do
+          let(:distributor) do
+            create(
+              :distributor_enterprise,
+              enable_producers_to_edit_orders: true,
+              show_customer_names_to_suppliers: true
+            )
+          end
+          it "should allow producer to view bulk orders page with customer details" do
+            within('tbody') do
+              expect(page).to have_selector('tr', count: 1)
+              expect(page).to have_selector('td', text: order.bill_address.full_name_for_sorting, count: 1)
+            end
+          end
+        end
+      end
+    end
+  end
+end