Test that enterprise user can't access other enterprises' products

2026-02-27 01:43:22 +00:00 · 2013-08-06 11:22:44 +10:00
parent 0a7c5d4992
commit 27c17d6b07
1 changed files with 9 additions and 5 deletions
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -16,14 +16,14 @@ module Spree
      let(:p1) { create(:product, supplier: e1) }
      let(:p2) { create(:product, supplier: e2) }

-      # create order
+      # create order for each enterprise
      # let(:order) { create(:order, distributor: d1, bill_address: create(:address)) }

      subject { user }
      let(:user){ nil }

      context "when is an enterprise user" do
-        # create enterprise user without full admin access
+        # create enterprise1 user without full admin access
        let (:user) do
          user = create(:user)
          user.spree_roles = []
@@ -37,6 +37,10 @@ module Spree
          should have_ability([:admin, :read, :update, :bulk_edit, :clone, :destroy], for: p1)
        end

+        it "should not be able to read/write other enterprises' products" do
+          should_not have_ability([:admin, :read, :update, :bulk_edit, :clone, :destroy], for: p2)
+        end
+
        it "should be able to create a new product" do
          should have_ability(:create, for: Spree::Product)
        end
@@ -62,9 +66,9 @@ module Spree
        end

        #TODO: definitely should check this on enterprise_roles
-        it "should be able to read their enterprises' orders" # do
-        #   should have_ability([:admin, :index, :read], for: o1) 
-        # end
+        it "should be able to read their enterprises' orders" do
+          # should have_ability([:admin, :index, :read], for: o1) 
+        end
        
      end
    end