From 2b283405e7a7e091c56a14b43de0aeb599cf6f58 Mon Sep 17 00:00:00 2001
From: Rob H <oeoeaio@gmail.com>
Date: Sun, 13 Apr 2014 10:09:17 +1000
Subject: [PATCH] Only admin and users of distributors can access admin orders

---
 .../spree/admin/overview_controller_decorator.rb    | 13 +++++++++++++
 app/models/spree/ability_decorator.rb               |  5 ++++-
 config/routes.rb                                    |  1 +
 spec/features/admin/cms_spec.rb                     |  2 +-
 spec/features/admin/enterprise_user_spec.rb         |  6 +++---
 spec/models/spree/ability_spec.rb                   |  4 ++++
 6 files changed, 26 insertions(+), 5 deletions(-)
 create mode 100644 app/controllers/spree/admin/overview_controller_decorator.rb

diff --git a/app/controllers/spree/admin/overview_controller_decorator.rb b/app/controllers/spree/admin/overview_controller_decorator.rb
new file mode 100644
index 0000000000..e6555eb291
--- /dev/null
+++ b/app/controllers/spree/admin/overview_controller_decorator.rb
@@ -0,0 +1,13 @@
+module Spree
+  module Admin
+    class OverviewController < Spree::Admin::BaseController
+      def index
+        if current_spree_user.admin? || current_spree_user.enterprises.any?{ |e| e.is_distributor? }
+          redirect_to admin_orders_path
+        elsif current_spree_user.enterprises.any?{ |e| e.is_primary_producer? }
+          redirect_to bulk_edit_admin_products_path
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/app/models/spree/ability_decorator.rb b/app/models/spree/ability_decorator.rb
index 75c89d8664..795a818693 100644
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -8,6 +8,8 @@ class AbilityDecorator
       # when searching for variants to add to the order
       can [:create, :search, :bulk_update], nil
 
+      can [:admin, :index], :overview
+
       # Enterprise User can only access products that they are a supplier for
       can [:create], Spree::Product
       can [:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product  do |product|
@@ -23,11 +25,12 @@ class AbilityDecorator
 
       # Enterprise User can only access orders that they are a distributor for
       can [:index, :create], Spree::Order
-      can [:admin, :read, :update, :bulk_management, :fire, :resend], Spree::Order do |order|
+      can [:read, :update, :bulk_management, :fire, :resend], Spree::Order do |order|
         # We allow editing orders with a nil distributor as this state occurs
         # during the order creation process from the admin backend
         order.distributor.nil? || user.enterprises.include?(order.distributor)
       end
+      can [:admin], Spree::Order if user.admin? || user.enterprises.any?{ |e| e.is_distributor? }
       can [:admin, :create], Spree::LineItem
 
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::Payment
diff --git a/config/routes.rb b/config/routes.rb
index a218fb145e..b6976cd986 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -93,6 +93,7 @@ Spree::Core::Engine.routes.prepend do
   match '/admin/orders/bulk_management' => 'admin/orders#bulk_management', :as => "admin_bulk_order_management"
   match '/admin/reports/products_and_inventory' => 'admin/reports#products_and_inventory', :as => "products_and_inventory_admin_reports",  :via  => [:get, :post]
   match '/admin/reports/customers' => 'admin/reports#customers', :as => "customers_admin_reports",  :via  => [:get, :post]
+  match '/admin', :to => 'admin/overview#index', :as => :admin
 
 
   namespace :api, :defaults => { :format => 'json' } do
diff --git a/spec/features/admin/cms_spec.rb b/spec/features/admin/cms_spec.rb
index c3b2fe3454..f032994a9d 100644
--- a/spec/features/admin/cms_spec.rb
+++ b/spec/features/admin/cms_spec.rb
@@ -16,7 +16,7 @@ feature %q{
     page.should have_content "ComfortableMexicanSofa"
 
     click_link 'Spree Admin'
-    current_path.should == spree.admin_path
+    current_path.should == spree.admin_orders_path
   end
 
   scenario "anonymous user can't access CMS admin" do
diff --git a/spec/features/admin/enterprise_user_spec.rb b/spec/features/admin/enterprise_user_spec.rb
index e26be25c1e..8f639d94fb 100644
--- a/spec/features/admin/enterprise_user_spec.rb
+++ b/spec/features/admin/enterprise_user_spec.rb
@@ -71,7 +71,7 @@ feature %q{
       end
 
       scenario "manage products that I supply" do
-        visit 'admin/products'
+        visit '/admin/products'
 
         within '#listing_products' do
           page.should have_content 'Green eggs'
@@ -90,12 +90,12 @@ feature %q{
     end
 
     scenario "should not be able to see system configuration" do
-      visit 'admin/general_settings/edit'
+      visit '/admin/general_settings/edit'
       page.should have_content 'Authorization Failure'
     end
 
     scenario "should not be able to see user management" do
-      visit 'admin/users'
+      visit '/admin/users'
       page.should have_content 'Authorization Failure'
     end
   end
diff --git a/spec/models/spree/ability_spec.rb b/spec/models/spree/ability_spec.rb
index 71160c7f87..e3d7581727 100644
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -39,6 +39,10 @@ module Spree
           should_not have_ability([:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], for: p2)
         end
 
+        it "should not be able to access admin actions on orders" do
+          should_not have_ability([:admin], for: Spree::Order)
+        end
+
         it "should be able to create a new product" do
           should have_ability(:create, for: Spree::Product)
         end