From 32cc17745aef1c4c07d1ed504fdda39bcbe44647 Mon Sep 17 00:00:00 2001
From: Rob Harrington <oeoeaio@gmail.com>
Date: Wed, 8 Apr 2015 14:12:49 +1000
Subject: [PATCH] Non-coordinating user cannot alter important attributes of
 order cycle

---
 app/controllers/admin/order_cycles_controller.rb |  9 +++++++++
 .../order_cycles/_name_and_timing_form.html.haml | 16 +++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/app/controllers/admin/order_cycles_controller.rb b/app/controllers/admin/order_cycles_controller.rb
index c8d5af73e6..b27a343ae3 100644
--- a/app/controllers/admin/order_cycles_controller.rb
+++ b/app/controllers/admin/order_cycles_controller.rb
@@ -7,6 +7,7 @@ module Admin
 
     before_filter :load_data_for_index, :only => :index
     before_filter :require_coordinator, only: :new
+    before_filter :remove_protected_attrs, only: [:update]
     around_filter :protect_invalid_destroy, only: :destroy
 
 
@@ -120,5 +121,13 @@ module Admin
         flash[:error] = "That order cycle has been selected by a customer and cannot be deleted. To prevent customers from accessing it, please close it instead."
       end
     end
+
+    def remove_protected_attrs
+      params[:order_cycle].delete :coordinator_id
+
+      unless spree_current_user.admin? || Enterprise.managed_by(spree_current_user).include?(@order_cycle.coordinator)
+        params[:order_cycle].delete_if{ |k,v| [:name, :orders_open_at, :orders_close_at].include? k.to_sym }
+      end
+    end
   end
 end
diff --git a/app/views/admin/order_cycles/_name_and_timing_form.html.haml b/app/views/admin/order_cycles/_name_and_timing_form.html.haml
index ed24d20f39..be11d45372 100644
--- a/app/views/admin/order_cycles/_name_and_timing_form.html.haml
+++ b/app/views/admin/order_cycles/_name_and_timing_form.html.haml
@@ -1,15 +1,25 @@
+- as_coordinator = Enterprise.managed_by(spree_current_user).include? @order_cycle.coordinator
 .row
   .alpha.two.columns
     = f.label :name
   .fourteen.columns.omega
-    = f.text_field :name, 'ng-model' => 'order_cycle.name', 'required' => true
+    - if as_coordinator
+      = f.text_field :name, 'ng-model' => 'order_cycle.name', 'required' => true
+    - else
+      {{ order_cycle.name }}
 
 .row
   .alpha.two.columns
     = f.label :orders_open_at, 'Orders open'
   .six.columns
-    = f.text_field :orders_open_at, 'datetimepicker' => 'order_cycle.orders_open_at', 'ng-model' => 'order_cycle.orders_open_at'
+    - if as_coordinator
+      = f.text_field :orders_open_at, 'datetimepicker' => 'order_cycle.orders_open_at', 'ng-model' => 'order_cycle.orders_open_at'
+    - else
+      {{ order_cycle.orders_open_at }}
   .two.columns
     = f.label :orders_close_at, 'Orders close'
   .six.columns.omega
-    = f.text_field :orders_close_at, 'datetimepicker' => 'order_cycle.orders_close_at', 'ng-model' => 'order_cycle.orders_close_at'
+    - if as_coordinator
+      = f.text_field :orders_close_at, 'datetimepicker' => 'order_cycle.orders_close_at', 'ng-model' => 'order_cycle.orders_close_at'
+    - else
+      {{ order_cycle.orders_close_at }}