Enterprise user can soft-delete a variant. BUT, only its own variants.

app/models/spree/ability_decorator.rb

@@ -12,11 +12,15 @@ class AbilityDecorator
 
       # Enterprise User can only access products that they are a supplier for
       can [:create], Spree::Product
-      can [:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product  do |product|
+      can [:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product do |product|
         user.enterprises.include? product.supplier
       end
 
-      can [:admin, :index, :read, :create, :edit, :update, :search, :destroy], Spree::Variant
+      can [:create], Spree::Variant
+      can [:admin, :index, :read, :edit, :update, :search, :destroy], Spree::Variant do |variant|
+        user.enterprises.include? variant.product.supplier
+      end
+
       can [:admin, :index, :read, :create, :edit, :update_positions, :destroy], Spree::ProductProperty
       can [:admin, :index, :read, :create, :edit, :update, :destroy], Spree::Image
 

spec/controllers/spree/api/variants_controller_spec.rb

@@ -4,6 +4,7 @@ module Spree
   describe Spree::Api::VariantsController do
     render_views
 
+    let(:supplier) { FactoryGirl.create(:supplier_enterprise) }
     let!(:variant1) { FactoryGirl.create(:variant) }
     let!(:variant2) { FactoryGirl.create(:variant) }
     let!(:variant3) { FactoryGirl.create(:variant) }
@@ -39,13 +40,29 @@ module Spree
         lambda { variant.reload }.should_not raise_error
         variant.deleted_at.should be_nil
       end
+    end
 
-      #it "sorts variants in ascending id order" do
-      #  spree_get :index, { :template => 'bulk_index', :format => :json }
-      #  ids = json_response.map{ |variant| variant['id'] }
-      #  ids[0].should < ids[1]
-      #  ids[1].should < ids[2]
-      #end
+    context "as an enterprise user" do
+      sign_in_as_enterprise_user! [:supplier]
+      let(:supplier_other) { create(:supplier_enterprise) }
+      let(:product) { create(:product, supplier: supplier) }
+      let(:variant) { product.master }
+      let(:product_other) { create(:product, supplier: supplier_other) }
+      let(:variant_other) { product_other.master }
+
+      it "soft deletes a variant" do
+        spree_delete :soft_delete, {variant_id: variant.to_param, product_id: product.to_param, format: :json}
+        response.status.should == 204
+        lambda { variant.reload }.should_not raise_error
+        variant.deleted_at.should_not be_nil
+      end
+
+      it "is denied access to soft deleting another enterprises' variant" do
+        spree_delete :soft_delete, {variant_id: variant_other.to_param, product_id: product_other.to_param, format: :json}
+        assert_unauthorized!
+        lambda { variant.reload }.should_not raise_error
+        variant.deleted_at.should be_nil
+      end
     end
 
     context "as an administrator" do

spec/models/spree/ability_spec.rb

@@ -48,7 +48,12 @@ module Spree
         end
 
         it "should be able to read/write their enterprises' product variants" do
-          should have_ability([:admin, :index, :read, :create, :edit, :search, :update, :destroy], for: Spree::Variant)
+          should have_ability([:create], for: Spree::Variant)
+          should have_ability([:admin, :index, :read, :create, :edit, :search, :update, :destroy], for: p1.master)
+        end
+
+        it "should not be able to read/write other enterprises' product variants" do
+          should_not have_ability([:admin, :index, :read, :create, :edit, :search, :update, :destroy], for: p2.master)
         end
 
         it "should be able to read/write their enterprises' product properties" do