Merge pull request #8476 from Matt-Yorkley/reports-producers-visibility

Ensure line items are correctly scoped for producers

app/services/permissions/order.rb

@@ -10,7 +10,9 @@ module Permissions
       @search_params = search_params
     end
 
-    # Find orders that the user can see
+    # Find orders that the user can see. This includes any order where the producer has permissions
+    # and has at least *one* of their supplied products in the order. Additional scoping may be
+    # needed for queries showing line items per producer.
     def visible_orders
       orders = Spree::Order.
         with_line_items_variants_and_products_outer.

lib/reporting/queries/query_builder.rb

@@ -26,6 +26,12 @@ module Reporting
         )
       end
 
+      def scoped_to_line_items(line_items_relation)
+        reflect query.where(
+          line_item_table[:id].in(Arel.sql(line_items_relation.to_sql))
+        )
+      end
+
       def with_managed_orders(orders_relation)
         reflect query.
           outer_join(managed_orders_alias).

lib/reporting/report_template.rb

@@ -41,6 +41,12 @@ module Reporting
         select(:id).distinct
     end
 
+    def visible_line_items_relation
+      ::Permissions::Order.new(current_user).
+        visible_line_items.
+        select(:id).distinct
+    end
+
     def managed_orders_relation
       ::Enterprise.managed_by(current_user).select(:id).distinct
     end

lib/reporting/reports/packing/base.rb

@@ -13,6 +13,7 @@ module Reporting
         def report_query
           Queries::QueryBuilder.new(primary_model, grouping_fields).
             scoped_to_orders(scoped_orders_relation).
+            scoped_to_line_items(visible_line_items_relation).
             with_managed_orders(managed_orders_relation).
             joins_order_and_distributor.
             joins_order_customer.

spec/lib/reports/packing/packing_report_spec.rb

@@ -48,20 +48,25 @@ describe "Packing Reports" do
 
     context "as a manager of a supplier" do
       let!(:user) { create(:user) }
-      let(:supplier) { create(:supplier_enterprise) }
+      let(:supplier1) { create(:supplier_enterprise) }
+      let(:supplier2) { create(:supplier_enterprise) }
       let(:order2) {
         create(:completed_order_with_totals, distributor: distributor,
                                              bill_address: create(:address),
                                              ship_address: create(:address))
       }
       let(:line_item2) {
-        build(:line_item_with_shipment, product: create(:simple_product, supplier: supplier))
+        build(:line_item_with_shipment, product: create(:simple_product, name: "visible", supplier: supplier1))
+      }
+      let(:line_item3) {
+        build(:line_item_with_shipment, product: create(:simple_product, name: "not visible", supplier: supplier2))
       }
 
       before do
         order2.line_items << line_item2
+        order2.line_items << line_item3
         order2.finalize!
-        supplier.enterprise_roles.create!(user: user)
+        supplier1.enterprise_roles.create!(user: user)
       end
 
       context "which has not granted P-OC to the distributor" do
@@ -72,7 +77,7 @@ describe "Packing Reports" do
 
       context "which has granted P-OC to the distributor" do
         before do
-          create(:enterprise_relationship, parent: supplier, child: distributor,
+          create(:enterprise_relationship, parent: supplier1, child: distributor,
                                            permissions_list: [:add_to_order_cycle])
         end
 
@@ -92,6 +97,13 @@ describe "Packing Reports" do
             expect(report_data.first["first_name"]).to eq(order2.bill_address.firstname)
           end
         end
+
+        context "where an order contains items from multiple suppliers" do
+          it "only shows line items the current user supplies" do
+            expect(report_contents).to include line_item2.product.name
+            expect(report_contents).to_not include line_item3.product.name
+          end
+        end
       end
     end