Enterprise manager can create an order

app/models/spree/ability_decorator.rb

@@ -4,33 +4,40 @@ class AbilityDecorator
   def initialize(user)
     if user.enterprises.count > 0
 
-      #Enterprise User can only access products that they are a supplier for
+      # Spree performs authorize! on (:create, nil) when creating a new order from admin, and also (:search, nil)
+      # when searching for variants to add to the order
+      can [:create, :search], nil
+
+      # Enterprise User can only access products that they are a supplier for
       can [:create], Spree::Product
       can [:admin, :read, :update, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product  do |product|
         user.enterprises.include? product.supplier
       end
 
-      can [:admin, :index, :read, :create, :edit], Spree::Variant
+      can [:admin, :index, :read, :create, :edit, :search], Spree::Variant
       can [:admin, :index, :read, :create, :edit], Spree::ProductProperty
       can [:admin, :index, :read, :create, :edit], Spree::Image
 
       can [:admin, :index, :read, :search], Spree::Taxon
       can [:admin, :index, :read, :create, :edit], Spree::Classification
 
-      #Enterprise User can only access orders that they are a distributor for
+      # Enterprise User can only access orders that they are a distributor for
       can [:index, :create], Spree::Order
-      can [:admin, :read, :update, :fire, :resend ], Spree::Order do |order|
-        user.enterprises.include? order.distributor
+      can [:admin, :index, :read, :create, :update, :fire, :resend], Spree::Order do |order|
+        # We allow editing orders with a nil distributor as this state occurs
+        # during the order creation process from the admin backend
+        order.distributor.nil? || user.enterprises.include?(order.distributor)
       end
+      can [:admin, :create], Spree::LineItem
 
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::Payment
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::Shipment
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::Adjustment
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::ReturnAuthorization
 
-      #Enterprise User can only access payment methods for their distributors
+      # Enterprise User can only access payment methods for their distributors
       can [:index, :create], Spree::PaymentMethod
-      can [:admin, :read, :update, :fire, :resend, :destroy ], Spree::PaymentMethod do |payment_method|
+      can [:admin, :read, :update, :fire, :resend, :destroy], Spree::PaymentMethod do |payment_method|
         user.enterprises.include? payment_method.distributor
       end
 
@@ -53,7 +60,7 @@ class AbilityDecorator
         user.enterprises.include? enterprise
       end
 
-      #Enterprise User can access reports page
+      # Enterprise User can access reports page
       can [:admin, :index, :orders_and_distributors, :group_buys, :bulk_coop, :payments, :order_cycles], :report
     end
   end

spec/features/admin/orders_spec.rb

@@ -75,4 +75,53 @@ feature %q{
     # we should still be on the same page
     current_path.should == spree.admin_orders_path
   end
+
+  context "as an enterprise manager" do
+    let(:coordinator1) { create(:distributor_enterprise) }
+    let(:coordinator2) { create(:distributor_enterprise) }
+    let!(:order_cycle1) { create(:order_cycle, coordinator: coordinator1) }
+    let!(:order_cycle2) { create(:simple_order_cycle, coordinator: coordinator2) }
+    let(:supplier1) { order_cycle1.suppliers.first }
+    let(:supplier2) { order_cycle1.suppliers.last }
+    let(:distributor1) { order_cycle1.distributors.first }
+    let(:distributor2) { order_cycle1.distributors.last }
+    let(:product) { order_cycle1.products.first }
+
+    before(:each) do
+      @enterprise_user = create_enterprise_user
+      @enterprise_user.enterprise_roles.build(enterprise: supplier1).save
+      @enterprise_user.enterprise_roles.build(enterprise: supplier1).save
+      @enterprise_user.enterprise_roles.build(enterprise: coordinator1).save
+      @enterprise_user.enterprise_roles.build(enterprise: distributor1).save
+
+      login_to_admin_as @enterprise_user
+    end
+
+    scenario "creating an order with distributor and order cycle", js: true do
+      click_link 'Orders'
+      click_link 'New Order'
+
+      page.should have_content 'ADD PRODUCT'
+      targetted_select2_search product.name, from: '#add_variant_id', dropdown_css: '.select2-drop'
+      click_link 'Add'
+      page.has_selector? "table.index tbody[data-hook='admin_order_form_line_items'] tr"  # Wait for JS
+      page.should have_selector 'td', text: product.name
+
+      page.should have_select 'order_distributor_id', with_options: [distributor1.name]
+      page.should have_no_select 'order_distributor_id', with_options: [distributor2.name]
+
+      page.should have_select 'order_order_cycle_id', with_options: [order_cycle1.name]
+      page.should have_no_select 'order_order_cycle_id', with_options: [order_cycle2.name]
+
+      select distributor1.name, from: 'order_distributor_id'
+      select order_cycle1.name, from: 'order_order_cycle_id'
+      click_button 'Update'
+
+      page.should have_selector 'h1', text: 'Customer Details'
+      o = Spree::Order.last
+      o.distributor.should == distributor1
+      o.order_cycle.should == order_cycle1
+    end
+
+  end
 end

spec/models/ability_spec.rb

@@ -18,18 +18,18 @@ module Spree
       let(:p2) { create(:product, supplier: s2, distributors:[d1, d2]) }
 
       subject { user }
-      let(:user){ nil }
+      let(:user) { nil }
 
       context "when is a supplier enterprise user" do
         # create supplier_enterprise1 user without full admin access
-        let (:user) do
+        let(:user) do
           user = create(:user)
           user.spree_roles = []
           s1.enterprise_roles.build(user: user).save
           user
         end
 
-        let (:order) {create(:order, )}
+        let(:order) {create(:order)}
 
         it "should be able to read/write their enterprises' products" do
           should have_ability([:admin, :read, :update, :bulk_edit, :bulk_update, :clone, :destroy], for: p1)
@@ -44,7 +44,7 @@ module Spree
         end
 
         it "should be able to read/write their enterprises' product variants" do
-          should have_ability([:admin, :index, :read, :create, :edit], for: Spree::Variant)
+          should have_ability([:admin, :index, :read, :create, :edit, :search], for: Spree::Variant)
         end
 
         it "should be able to read/write their enterprises' product properties" do
@@ -84,6 +84,11 @@ module Spree
           create(:line_item, order: o, product: p1)
           o
         end
+        let(:o3) do
+          o = create(:order, distributor: nil, bill_address: create(:address))
+          create(:line_item, order: o, product: p1)
+          o
+        end
 
         it "should be able to read/write their enterprises' orders" do
           should have_ability([:admin, :index, :read, :edit], for: o1)
@@ -93,8 +98,20 @@ module Spree
           should_not have_ability([:admin, :index, :read, :edit], for: o2)
         end
 
+        it "should be able to read/write orders that are in the process of being created" do
+          should have_ability([:admin, :index, :read, :edit], for: o3)
+        end
+
+        it "should be able to create and search on nil (required for creating an order)" do
+          should have_ability([:create, :search], for: nil)
+        end
+
         it "should be able to create a new order" do
-          should have_ability(:create, for: Spree::Order)
+          should have_ability([:admin, :index, :read, :create, :update], for: Spree::Order)
+        end
+
+        it "should be able to create a new line item" do
+          should have_ability([:admin, :create], for: Spree::LineItem)
         end
 
         it "should be able to read/write Payments on a product" do