mirror of
https://github.com/openfoodfoundation/openfoodnetwork
synced 2026-02-15 23:57:48 +00:00
Revoke ability to overide variants based on shared management/ownership (ie. only explicit permissions)
This commit is contained in:
Rob Harrington
@@ -49,13 +49,10 @@ module OpenFoodNetwork
|
||||
map { |child_id, ers| [child_id, ers.map { |er| er.parent_id }] }
|
||||
]
|
||||
|
||||
# We have permission to create variant overrides for any producers we manage, for any
|
||||
# hub we can add to an order cycle
|
||||
managed_producer_ids = managed_enterprises.is_primary_producer.pluck(:id)
|
||||
if managed_producer_ids.any?
|
||||
hubs.each do |hub|
|
||||
permissions[hub.id] = ((permissions[hub.id] || []) + managed_producer_ids).uniq
|
||||
end
|
||||
# Allow a producer hub to override it's own products without explicit permission
|
||||
hubs.is_primary_producer.each do |hub|
|
||||
permissions[hub.id] ||= []
|
||||
permissions[hub.id] |= [hub.id]
|
||||
end
|
||||
|
||||
permissions
|
||||
|
||||
@@ -12,13 +12,20 @@ feature %q{
|
||||
let!(:hub) { create(:distributor_enterprise) }
|
||||
let!(:hub2) { create(:distributor_enterprise) }
|
||||
let!(:producer) { create(:supplier_enterprise) }
|
||||
let!(:producer_managed) { create(:supplier_enterprise) }
|
||||
let!(:producer_related) { create(:supplier_enterprise) }
|
||||
let!(:producer_unrelated) { create(:supplier_enterprise) }
|
||||
let!(:er1) { create(:enterprise_relationship, parent: producer, child: hub,
|
||||
permissions_list: [:create_variant_overrides]) }
|
||||
let!(:er2) { create(:enterprise_relationship, parent: producer_related, child: hub,
|
||||
permissions_list: [:create_variant_overrides]) }
|
||||
|
||||
context "as an enterprise user" do
|
||||
let(:user) { create_enterprise_user enterprises: [hub, producer] }
|
||||
let(:user) { create_enterprise_user enterprises: [hub, producer_managed] }
|
||||
before { quick_login_as user }
|
||||
|
||||
describe "selecting a hub" do
|
||||
let!(:er1) { create(:enterprise_relationship, parent: hub2, child: producer,
|
||||
let!(:er1) { create(:enterprise_relationship, parent: hub2, child: producer_managed,
|
||||
permissions_list: [:add_to_order_cycle]) } # This er should not confer ability to create VOs for hub2
|
||||
|
||||
it "displays a list of hub choices (ie. only those managed by the user)" do
|
||||
@@ -33,14 +40,14 @@ feature %q{
|
||||
let!(:variant) { create(:variant, product: product, unit_value: 1, price: 1.23, on_hand: 12) }
|
||||
let!(:inventory_item) { create(:inventory_item, enterprise: hub, variant: variant ) }
|
||||
|
||||
let!(:producer_related) { create(:supplier_enterprise) }
|
||||
let!(:product_managed) { create(:simple_product, supplier: producer_managed, variant_unit: 'weight', variant_unit_scale: 1) }
|
||||
let!(:variant_managed) { create(:variant, product: product_managed, unit_value: 3, price: 3.65, on_hand: 2) }
|
||||
let!(:inventory_item_managed) { create(:inventory_item, enterprise: hub, variant: variant_managed ) }
|
||||
|
||||
let!(:product_related) { create(:simple_product, supplier: producer_related) }
|
||||
let!(:variant_related) { create(:variant, product: product_related, unit_value: 2, price: 2.34, on_hand: 23) }
|
||||
let!(:inventory_item_related) { create(:inventory_item, enterprise: hub, variant: variant_related ) }
|
||||
let!(:er2) { create(:enterprise_relationship, parent: producer_related, child: hub,
|
||||
permissions_list: [:create_variant_overrides]) }
|
||||
|
||||
let!(:producer_unrelated) { create(:supplier_enterprise) }
|
||||
let!(:product_unrelated) { create(:simple_product, supplier: producer_unrelated) }
|
||||
|
||||
|
||||
@@ -67,6 +74,8 @@ feature %q{
|
||||
page.should have_input "variant-overrides-#{variant_related.id}-count_on_hand", placeholder: '23'
|
||||
|
||||
# filters the products to those the hub can override
|
||||
page.should_not have_content producer_managed.name
|
||||
page.should_not have_content product_managed.name
|
||||
page.should_not have_content producer_unrelated.name
|
||||
page.should_not have_content product_unrelated.name
|
||||
|
||||
|
||||
@@ -119,7 +119,7 @@ module OpenFoodNetwork
|
||||
{hub.id => [producer.id]}
|
||||
end
|
||||
|
||||
it "returns only permissions relating to managed enterprises" do
|
||||
it "returns only permissions relating to managed hubs" do
|
||||
create(:enterprise_relationship, parent: e1, child: e2,
|
||||
permissions_list: [:create_variant_overrides])
|
||||
|
||||
@@ -150,12 +150,17 @@ module OpenFoodNetwork
|
||||
end
|
||||
end
|
||||
|
||||
it "also returns managed producers" do
|
||||
it "does not return managed producers (ie. only uses explicitly granted VO permissions)" do
|
||||
producer2 = create(:supplier_enterprise)
|
||||
permissions.stub(:managed_enterprises) { Enterprise.where(id: [hub, producer2]) }
|
||||
|
||||
permissions.variant_override_enterprises_per_hub.should ==
|
||||
{hub.id => [producer.id, producer2.id]}
|
||||
expect(permissions.variant_override_enterprises_per_hub[hub.id]).to_not include producer2.id
|
||||
end
|
||||
|
||||
it "returns itself if self is also a primary producer (even when no explicit permission exists)" do
|
||||
hub.update_attribute(:is_primary_producer, true)
|
||||
|
||||
expect(permissions.variant_override_enterprises_per_hub[hub.id]).to include hub.id
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user