Wiring up update action for customers controller

2026-01-24 20:36:49 +00:00 · 2015-05-08 10:38:02 +10:00
parent 8f35ccf007
commit 2afd501af3
4 changed files with 39 additions and 6 deletions
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -186,7 +186,7 @@ class AbilityDecorator
    # Reports page
    can [:admin, :index, :customers, :group_buys, :bulk_coop, :sales_tax, :payments, :orders_and_distributors, :orders_and_fulfillment, :products_and_inventory, :order_cycle_management], :report

-    can [:admin, :index], Customer
+    can [:admin, :index, :update], Customer, enterprise_id: Enterprise.managed_by(user).pluck(:id)
  end


--- a/config/routes.rb
+++ b/config/routes.rb
@@ -80,7 +80,7 @@ Openfoodnetwork::Application.routes.draw do
      post :bulk_update, on: :collection
    end

-    resources :customers, only: [:index]
+    resources :customers, only: [:index, :update]
  end

  namespace :api do
--- a/spec/controllers/admin/customers_controller_spec.rb
+++ b/spec/controllers/admin/customers_controller_spec.rb
@@ -57,6 +57,39 @@ describe Admin::CustomersController, type: :controller do
        end
      end
    end
+  end

+  describe "update" do
+    let(:enterprise) { create(:distributor_enterprise) }
+    let(:another_enterprise) { create(:distributor_enterprise) }
+
+    context "json" do
+      let!(:customer) { create(:customer, enterprise: enterprise) }
+
+      context "where I manage the customer's enterprise" do
+        before do
+          controller.stub spree_current_user: enterprise.owner
+        end
+
+        it "allows me to update the customer" do
+          spree_put :update, format: :json, id: customer.id, customer: { email: 'new.email@gmail.com' }
+          expect(assigns(:customer)).to eq customer
+          expect(customer.reload.email).to eq 'new.email@gmail.com'
+        end
+      end
+
+      context "where I don't manage the customer's enterprise" do
+        before do
+          controller.stub spree_current_user: another_enterprise.owner
+        end
+
+        it "prevents me from updating the customer" do
+          spree_put :update, format: :json, id: customer.id, customer: { email: 'new.email@gmail.com' }
+          expect(response).to redirect_to spree.unauthorized_path
+          expect(assigns(:customer)).to eq nil
+          expect(customer.email).to_not eq 'new.email@gmail.com'
+        end
+      end
+    end
  end
 end
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -220,8 +220,8 @@ module Spree
          should_not have_ability([:sales_total, :group_buys, :payments, :orders_and_distributors, :users_and_enterprises], for: :report)
        end

-        it "should not be able to list customers" do
-          should_not have_ability([:admin, :index], for: Customer)
+        it "should not be able to access customer actions" do
+          should_not have_ability([:admin, :index, :update], for: Customer)
        end

        describe "order_cycles abilities" do
@@ -411,8 +411,8 @@ module Spree
          should_not have_ability([:sales_total, :users_and_enterprises], for: :report)
        end

-        it "should be able to list customers" do
-          should have_ability([:admin, :index], for: Customer)
+        it "should be able to access customer actions" do
+          should have_ability([:admin, :index, :update], for: Customer)
        end

        context "for a given order_cycle" do