From 213209b460cc7ed0f614bae652ebfc3202b83e6b Mon Sep 17 00:00:00 2001
From: Ahmed Ejaz <chahmedejaz9050@gmail.com>
Date: Sun, 13 Apr 2025 21:28:14 +0500
Subject: [PATCH] hide customer info on bulk orders page

---
 app/controllers/api/v0/orders_controller.rb   |  3 +-
 app/helpers/spree/admin/orders_helper.rb      |  2 +-
 app/models/spree/ability.rb                   |  3 +
 app/serializers/api/admin/order_serializer.rb | 23 +++++-
 .../admin/orders/producer_actions_spec.rb     |  2 +-
 .../admin/producer_bulk_order_management.rb   | 76 +++++++++++++++++++
 6 files changed, 103 insertions(+), 6 deletions(-)
 create mode 100644 spec/system/admin/producer_bulk_order_management.rb

diff --git a/app/controllers/api/v0/orders_controller.rb b/app/controllers/api/v0/orders_controller.rb
index 2ffb4304b3..d3fe7070c4 100644
--- a/app/controllers/api/v0/orders_controller.rb
+++ b/app/controllers/api/v0/orders_controller.rb
@@ -67,7 +67,8 @@ module Api
       def serialized_orders(orders)
         ActiveModel::ArraySerializer.new(
           orders,
-          each_serializer: Api::Admin::OrderSerializer
+          each_serializer: Api::Admin::OrderSerializer,
+          current_user: current_api_user
         )
       end
 
diff --git a/app/helpers/spree/admin/orders_helper.rb b/app/helpers/spree/admin/orders_helper.rb
index 58e1af234f..7a474332a6 100644
--- a/app/helpers/spree/admin/orders_helper.rb
+++ b/app/helpers/spree/admin/orders_helper.rb
@@ -162,7 +162,7 @@ module Spree
       def display_value_for_producer(order, value)
         return value unless filter_by_supplier?(order)
 
-        order.distributor&.show_customer_names_to_suppliers ? value : t("admin.reports.hidden")
+        order.distributor&.show_customer_names_to_suppliers ? value : t("admin.reports.hidden_field")
       end
     end
   end
diff --git a/app/models/spree/ability.rb b/app/models/spree/ability.rb
index ce87891d13..08e27d60d7 100644
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -369,6 +369,9 @@ module Spree
       can [:index, :create, :add, :read, :edit, :update], Spree::Shipment do |shipment|
         can_edit_order(shipment.order, user)
       end
+      can [:admin, :index], OrderCycle do |order_cycle|
+        can_edit_order(order_cycle.order, user)
+      end
       can [:visible], Enterprise
     end
 
diff --git a/app/serializers/api/admin/order_serializer.rb b/app/serializers/api/admin/order_serializer.rb
index db3a72f0b5..9d28da3344 100644
--- a/app/serializers/api/admin/order_serializer.rb
+++ b/app/serializers/api/admin/order_serializer.rb
@@ -15,8 +15,14 @@ module Api
       has_one :distributor, serializer: Api::Admin::IdSerializer
       has_one :order_cycle, serializer: Api::Admin::IdSerializer
 
+      def full_name_for_sorting
+        value = [last_name, first_name].compact_blank.join(", ")
+        display_value_for_producer(object, value)
+      end
+
       def full_name
-        object.billing_address.nil? ? "" : ( object.billing_address.full_name || "" )
+        value = object.billing_address.nil? ? "" : ( object.billing_address.full_name || "" )
+        display_value_for_producer(object, value)
       end
 
       def first_name
@@ -65,11 +71,12 @@ module Api
       end
 
       def email
-        object.email || ""
+        display_value_for_producer(object, object.email || "")
       end
 
       def phone
-        object.billing_address.nil? ? "a" : ( object.billing_address.phone || "" )
+        value = object.billing_address.nil? ? "a" : ( object.billing_address.phone || "" )
+        display_value_for_producer(object, value)
       end
 
       def created_at
@@ -93,6 +100,16 @@ module Api
       def spree_routes_helper
         Spree::Core::Engine.routes.url_helpers
       end
+
+      def display_value_for_producer(order, value)
+        filter_by_supplier = (
+          order.distributor&.enable_producers_to_edit_orders &&
+          options[:current_user]&.can_manage_line_items_in_orders_only?
+        )
+        return value unless filter_by_supplier
+
+        order.distributor&.show_customer_names_to_suppliers ? value : I18n.t("admin.reports.hidden_field")
+      end
     end
   end
 end
diff --git a/spec/system/admin/orders/producer_actions_spec.rb b/spec/system/admin/orders/producer_actions_spec.rb
index 26c2c63ad5..88e8d5bd34 100644
--- a/spec/system/admin/orders/producer_actions_spec.rb
+++ b/spec/system/admin/orders/producer_actions_spec.rb
@@ -63,7 +63,7 @@ RSpec.describe 'As a producer who have the ability to update orders' do
             within('#listing_orders tbody') do
               expect(page).to have_selector('tr', count: 1) # Only one order
               # One for Email, one for Name
-              expect(page).to have_selector('td', text: 'HIDDEN', count: 2)
+              expect(page).to have_selector('td', text: '< Hidden >', count: 2)
             end
           end
         end
diff --git a/spec/system/admin/producer_bulk_order_management.rb b/spec/system/admin/producer_bulk_order_management.rb
new file mode 100644
index 0000000000..51d80a64b8
--- /dev/null
+++ b/spec/system/admin/producer_bulk_order_management.rb
@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'system_helper'
+
+RSpec.describe 'As a producer who have the ability to update orders' do
+  include AdminHelper
+  include AuthenticationHelper
+  include WebHelper
+
+  let!(:supplier1) { create(:supplier_enterprise, name: 'My supplier1') }
+  let!(:supplier2) { create(:supplier_enterprise, name: 'My supplier2') }
+  let!(:supplier1_v1) { create(:variant, supplier_id: supplier1.id) }
+  let!(:supplier1_v2) { create(:variant, supplier_id: supplier1.id) }
+  let!(:supplier2_v1) { create(:variant, supplier_id: supplier2.id) }
+  let(:order_cycle) do
+    create(:simple_order_cycle, distributors: [distributor], variants: [supplier1_v1, supplier1_v2])
+  end
+  let!(:order_containing_supplier1_products) do
+    o = create(
+      :completed_order_with_totals,
+      distributor:, order_cycle:,
+      user: supplier1_ent_user, line_items_count: 1
+    )
+    o.line_items.first.update_columns(variant_id: supplier1_v1.id)
+    o
+  end
+
+  let(:supplier1_ent_user) { create(:user, enterprises: [supplier1]) }
+
+  context "As supplier1 enterprise user" do
+    before { login_as(supplier1_ent_user) }
+    let(:order) { order_containing_supplier1_products }
+    let(:user) { supplier1_ent_user }
+
+    describe 'bulk orders index page' do
+      before { visit spree.admin_bulk_order_management_path }
+
+      context "when no distributor allow the producer to edit orders" do
+        let(:distributor) { create(:distributor_enterprise) }
+
+        it "should not allow producer to view orders page" do
+          expect(page).to have_content 'Unauthorized'
+        end
+      end
+
+      context "when distributor allows the producer to edit orders" do
+        let(:distributor) { create(:distributor_enterprise, enable_producers_to_edit_orders: true) }
+
+        context "when distributor doesn't allow to view customer details" do
+          it "should allow producer to view bulk orders page with HIDDEN customer details" do
+            within('tbody') do
+              expect(page).to have_selector('tr', count: 1)
+              expect(page).to have_selector('td', text: '< Hidden >', count: 1)
+            end
+          end
+        end
+
+        context "when distributor allows to view customer details" do
+          let(:distributor) do
+            create(
+              :distributor_enterprise,
+              enable_producers_to_edit_orders: true,
+              show_customer_names_to_suppliers: true
+            )
+          end
+          it "should allow producer to view bulk orders page with customer details" do
+            within('tbody') do
+              expect(page).to have_selector('tr', count: 1)
+              expect(page).to have_selector('td', text: order.bill_address.full_name_for_sorting, count: 1)
+            end
+          end
+        end
+      end
+    end
+  end
+end