Merge pull request #12868 from rioug/fix-buu-permission

[BUU] Add missing permission check on product actions
2026-01-24 20:36:49 +00:00 · 2024-09-18 17:25:24 +10:00
parent a6d71f8dd1 68fa903d61
commit 4822a9ebcd
2 changed files with 68 additions and 0 deletions
--- a/app/controllers/admin/products_v3_controller.rb
+++ b/app/controllers/admin/products_v3_controller.rb
@@ -40,6 +40,8 @@ module Admin
        { id: params[:id] }
      ).find_product

+      authorize! :delete, @record
+
      @record.destroyed_by = spree_current_user
      status = :ok

@@ -74,6 +76,8 @@ module Admin

    def clone
      @product = Spree::Product.find(params[:id])
+      authorize! :clone, @product
+
      status = :ok

      begin
--- a/spec/requests/admin/products_v3_spec.rb
+++ b/spec/requests/admin/products_v3_spec.rb
@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe "Admin::ProductsV3" do
+  include AuthenticationHelper
+
+  let(:user) { create(:user) }
+  let(:headers) { { Accept: "text/vnd.turbo-stream.html" } }
+  let(:product) { create(:simple_product, supplier_id: create(:supplier_enterprise).id) }
+
+  before do
+    login_as user
+  end
+
+  describe "DELETE /admin/product_v3/:id" do
+    it "checks for permission" do
+      delete(admin_product_destroy_path(product), headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+
+  describe "POST /admin/clone/:id" do
+    it "checks for permission" do
+      post(admin_clone_product_path(product), headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+
+  describe "DELETE /admin/product_v3/destroy_variant/:id" do
+    it "checks for permission" do
+      delete(admin_destroy_variant_path(product.variants.first), headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+
+  describe "POST /admin/products/bulk_update" do
+    it "checks for permission" do
+      variant = product.variants.first
+
+      params = {
+        products: {
+          '0': {
+            id: product.id,
+            name: "Updated product name",
+            variants_attributes: {
+              '0': {
+                id: variant.id,
+                display_name: "Updated variant display name",
+              }
+            }
+          }
+        }
+      }
+
+      post(admin_products_bulk_update_path, params:, headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+end