Non-coordinating user cannot alter important attributes of order cycle

2026-02-04 22:16:08 +00:00 · 2015-04-08 14:12:49 +10:00
parent b1624a733e
commit 32cc17745a
2 changed files with 22 additions and 3 deletions
--- a/app/controllers/admin/order_cycles_controller.rb
+++ b/app/controllers/admin/order_cycles_controller.rb
@@ -7,6 +7,7 @@ module Admin

    before_filter :load_data_for_index, :only => :index
    before_filter :require_coordinator, only: :new
+    before_filter :remove_protected_attrs, only: [:update]
    around_filter :protect_invalid_destroy, only: :destroy


@@ -120,5 +121,13 @@ module Admin
        flash[:error] = "That order cycle has been selected by a customer and cannot be deleted. To prevent customers from accessing it, please close it instead."
      end
    end
+
+    def remove_protected_attrs
+      params[:order_cycle].delete :coordinator_id
+
+      unless spree_current_user.admin? || Enterprise.managed_by(spree_current_user).include?(@order_cycle.coordinator)
+        params[:order_cycle].delete_if{ |k,v| [:name, :orders_open_at, :orders_close_at].include? k.to_sym }
+      end
+    end
  end
 end
--- a/app/views/admin/order_cycles/_name_and_timing_form.html.haml
+++ b/app/views/admin/order_cycles/_name_and_timing_form.html.haml
@@ -1,15 +1,25 @@
+- as_coordinator = Enterprise.managed_by(spree_current_user).include? @order_cycle.coordinator
 .row
  .alpha.two.columns
    = f.label :name
  .fourteen.columns.omega
-    = f.text_field :name, 'ng-model' => 'order_cycle.name', 'required' => true
+    - if as_coordinator
+      = f.text_field :name, 'ng-model' => 'order_cycle.name', 'required' => true
+    - else
+      {{ order_cycle.name }}

 .row
  .alpha.two.columns
    = f.label :orders_open_at, 'Orders open'
  .six.columns
-    = f.text_field :orders_open_at, 'datetimepicker' => 'order_cycle.orders_open_at', 'ng-model' => 'order_cycle.orders_open_at'
+    - if as_coordinator
+      = f.text_field :orders_open_at, 'datetimepicker' => 'order_cycle.orders_open_at', 'ng-model' => 'order_cycle.orders_open_at'
+    - else
+      {{ order_cycle.orders_open_at }}
  .two.columns
    = f.label :orders_close_at, 'Orders close'
  .six.columns.omega
-    = f.text_field :orders_close_at, 'datetimepicker' => 'order_cycle.orders_close_at', 'ng-model' => 'order_cycle.orders_close_at'
+    - if as_coordinator
+      = f.text_field :orders_close_at, 'datetimepicker' => 'order_cycle.orders_close_at', 'ng-model' => 'order_cycle.orders_close_at'
+    - else
+      {{ order_cycle.orders_close_at }}