Restrict bulk updating order cycles at controller level

2026-02-01 21:47:16 +00:00 · 2015-04-09 12:27:43 +10:00
parent 8a3126f117
commit 60a3d8e0d1
2 changed files with 49 additions and 1 deletions
--- a/app/controllers/admin/order_cycles_controller.rb
+++ b/app/controllers/admin/order_cycles_controller.rb
@@ -8,6 +8,7 @@ module Admin
    before_filter :load_data_for_index, :only => :index
    before_filter :require_coordinator, only: :new
    before_filter :remove_protected_attrs, only: [:update]
+    before_filter :remove_unauthorized_bulk_attrs, only: [:bulk_update]
    around_filter :protect_invalid_destroy, only: :destroy


@@ -125,9 +126,18 @@ module Admin
    def remove_protected_attrs
      params[:order_cycle].delete :coordinator_id

-      unless spree_current_user.admin? || Enterprise.managed_by(spree_current_user).include?(@order_cycle.coordinator)
+      unless Enterprise.managed_by(spree_current_user).include?(@order_cycle.coordinator)
        params[:order_cycle].delete_if{ |k,v| [:name, :orders_open_at, :orders_close_at].include? k.to_sym }
      end
    end
+
+    def remove_unauthorized_bulk_attrs
+      params[:order_cycle_set][:collection_attributes].each do |i, hash|
+        order_cycle = OrderCycle.find(hash[:id])
+        unless Enterprise.managed_by(spree_current_user).include?(order_cycle.andand.coordinator)
+          params[:order_cycle_set][:collection_attributes].delete i
+        end
+      end
+    end
  end
 end
--- a/spec/controllers/admin/order_cycles_controller_spec.rb
+++ b/spec/controllers/admin/order_cycles_controller_spec.rb
@@ -57,6 +57,44 @@ module Admin
      end
    end

+    describe "bulk_update" do
+      let(:oc) { create(:simple_order_cycle) }
+      let!(:coordinator) { oc.coordinator }
+
+      context "when I manage the coordinator of an order cycle" do
+        before { create(:enterprise_role, user: distributor_owner, enterprise: coordinator) }
+
+        it "updates order cycle properties" do
+          spree_put :bulk_update, order_cycle_set: { collection_attributes: { '0' => {
+            id: oc.id,
+            orders_open_at: Date.today - 21.days,
+            orders_close_at: Date.today + 21.days,
+          } } }
+
+          oc.reload
+          expect(oc.orders_open_at.to_date).to eq Date.today - 21.days
+          expect(oc.orders_close_at.to_date).to eq Date.today + 21.days
+        end
+      end
+
+      context "when I do not manage the coordinator of an order cycle" do
+        # I need to manage a hub in order to access the bulk_update action
+        let!(:another_distributor) { create(:distributor_enterprise, users: [distributor_owner]) }
+
+        it "doesn't update order cycle properties" do
+          spree_put :bulk_update, order_cycle_set: { collection_attributes: { '0' => {
+            id: oc.id,
+            orders_open_at: Date.today - 21.days,
+            orders_close_at: Date.today + 21.days,
+          } } }
+
+          oc.reload
+          expect(oc.orders_open_at.to_date).to_not eq Date.today - 21.days
+          expect(oc.orders_close_at.to_date).to_not eq Date.today + 21.days
+        end
+      end
+    end
+
    describe "destroy" do
      let!(:distributor) { create(:distributor_enterprise, owner: distributor_owner) }