diff --git a/app/models/spree/ability_decorator.rb b/app/models/spree/ability_decorator.rb index b5ad4ec07b..e7e8d9feb8 100644 --- a/app/models/spree/ability_decorator.rb +++ b/app/models/spree/ability_decorator.rb @@ -186,7 +186,7 @@ class AbilityDecorator # Reports page can [:admin, :index, :customers, :group_buys, :bulk_coop, :sales_tax, :payments, :orders_and_distributors, :orders_and_fulfillment, :products_and_inventory, :order_cycle_management], :report - can [:admin, :index], Customer + can [:admin, :index, :update], Customer, enterprise_id: Enterprise.managed_by(user).pluck(:id) end diff --git a/config/routes.rb b/config/routes.rb index aa49f225dc..e262813cb7 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -80,7 +80,7 @@ Openfoodnetwork::Application.routes.draw do post :bulk_update, on: :collection end - resources :customers, only: [:index] + resources :customers, only: [:index, :update] end namespace :api do diff --git a/spec/controllers/admin/customers_controller_spec.rb b/spec/controllers/admin/customers_controller_spec.rb index ee23b90552..3fc5451b8b 100644 --- a/spec/controllers/admin/customers_controller_spec.rb +++ b/spec/controllers/admin/customers_controller_spec.rb @@ -57,6 +57,39 @@ describe Admin::CustomersController, type: :controller do end end end + end + describe "update" do + let(:enterprise) { create(:distributor_enterprise) } + let(:another_enterprise) { create(:distributor_enterprise) } + + context "json" do + let!(:customer) { create(:customer, enterprise: enterprise) } + + context "where I manage the customer's enterprise" do + before do + controller.stub spree_current_user: enterprise.owner + end + + it "allows me to update the customer" do + spree_put :update, format: :json, id: customer.id, customer: { email: 'new.email@gmail.com' } + expect(assigns(:customer)).to eq customer + expect(customer.reload.email).to eq 'new.email@gmail.com' + end + end + + context "where I don't manage the customer's enterprise" do + before do + controller.stub spree_current_user: another_enterprise.owner + end + + it "prevents me from updating the customer" do + spree_put :update, format: :json, id: customer.id, customer: { email: 'new.email@gmail.com' } + expect(response).to redirect_to spree.unauthorized_path + expect(assigns(:customer)).to eq nil + expect(customer.email).to_not eq 'new.email@gmail.com' + end + end + end end end diff --git a/spec/models/spree/ability_spec.rb b/spec/models/spree/ability_spec.rb index 8ff1054f19..e35291ec8e 100644 --- a/spec/models/spree/ability_spec.rb +++ b/spec/models/spree/ability_spec.rb @@ -220,8 +220,8 @@ module Spree should_not have_ability([:sales_total, :group_buys, :payments, :orders_and_distributors, :users_and_enterprises], for: :report) end - it "should not be able to list customers" do - should_not have_ability([:admin, :index], for: Customer) + it "should not be able to access customer actions" do + should_not have_ability([:admin, :index, :update], for: Customer) end describe "order_cycles abilities" do @@ -411,8 +411,8 @@ module Spree should_not have_ability([:sales_total, :users_and_enterprises], for: :report) end - it "should be able to list customers" do - should have_ability([:admin, :index], for: Customer) + it "should be able to access customer actions" do + should have_ability([:admin, :index, :update], for: Customer) end context "for a given order_cycle" do