From 63e345f819e992e5d9eed451297822472715d67d Mon Sep 17 00:00:00 2001
From: Rob Harrington <oeoeaio@gmail.com>
Date: Wed, 25 Mar 2015 11:58:07 +1100
Subject: [PATCH] Exchange serializer cuts down list of variants visible to the
 current user, based on permissions

---
 .../api/admin/exchange_serializer.rb          | 10 +++++++-
 .../admin/exchange_serializer_spec.rb         | 25 +++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 spec/serializers/admin/exchange_serializer_spec.rb

diff --git a/app/serializers/api/admin/exchange_serializer.rb b/app/serializers/api/admin/exchange_serializer.rb
index c9fcad75db..bd143534e7 100644
--- a/app/serializers/api/admin/exchange_serializer.rb
+++ b/app/serializers/api/admin/exchange_serializer.rb
@@ -4,6 +4,14 @@ class Api::Admin::ExchangeSerializer < ActiveModel::Serializer
   has_many :enterprise_fees, serializer: Api::Admin::EnterpriseFeeSerializer
 
   def variants
-    Hash[ object.variants.map { |v| [v.id, true] } ]
+    permitted = Spree::Variant.where("1=0")
+    if object.incoming
+      permitted = OpenFoodNetwork::Permissions.new(options[:current_user]).
+      visible_variants_for_incoming_exchanges_between(object.sender, object.receiver)
+    else
+      permitted = OpenFoodNetwork::Permissions.new(options[:current_user]).
+      visible_variants_for_outgoing_exchanges_between(object.sender, object.receiver, order_cycle: object.order_cycle)
+    end
+    Hash[ object.variants.merge(permitted).map { |v| [v.id, true] } ]
   end
 end
diff --git a/spec/serializers/admin/exchange_serializer_spec.rb b/spec/serializers/admin/exchange_serializer_spec.rb
new file mode 100644
index 0000000000..9b32c537b3
--- /dev/null
+++ b/spec/serializers/admin/exchange_serializer_spec.rb
@@ -0,0 +1,25 @@
+describe Api::Admin::ExchangeSerializer do
+  let(:v1) { create(:variant) }
+  let(:v2) { create(:variant) }
+  let(:exchange) { create(:exchange, incoming: false, variants: [v1, v2]) }
+  let(:permissions_mock) { double(:permissions) }
+  let(:serializer) { Api::Admin::ExchangeSerializer.new exchange }
+
+
+  before do
+    allow(OpenFoodNetwork::Permissions).to receive(:new) { permissions_mock }
+    allow(permissions_mock).to receive(:visible_variants_for_outgoing_exchanges_between) do
+      # This is the permitted list of variants
+      Spree::Variant.where(id: [v1] )
+    end
+  end
+
+  it "filters variants within the exchange based on permissions" do
+    visible_variants = serializer.variants
+    expect(permissions_mock).to have_received(:visible_variants_for_outgoing_exchanges_between).
+    with(exchange.sender, exchange.receiver, order_cycle: exchange.order_cycle)
+    expect(exchange.variants).to include v1, v2
+    expect(visible_variants.keys).to include v1.id
+    expect(visible_variants.keys).to_not include v2.id
+  end
+end