Fixing customer info security for orders and fulfillments report

lib/open_food_network/orders_and_fulfillments_report.rb

@@ -42,7 +42,10 @@ module OpenFoodNetwork
       line_items = permissions.visible_line_items.merge(Spree::LineItem.where(order_id: orders))
       line_items = line_items.supplied_by_any(params[:supplier_id_in]) if params[:supplier_id_in].present?
 
-      line_items_with_hidden_details = line_items.where('"spree_line_items"."id" NOT IN (?)', permissions.editable_line_items)
+      # If empty array is passed in, the where clause will return all line_items, which is bad
+      line_items_with_hidden_details =
+        permissions.editable_line_items.empty? ? line_items : line_items.where('"spree_line_items"."id" NOT IN (?)', permissions.editable_line_items)
+
       line_items.select{ |li| line_items_with_hidden_details.include? li }.each do |line_item|
         # TODO We should really be hiding customer code here too, but until we
         # have an actual association between order and customer, it's a bit tricky