14081: fix permission issue for deleting manager

2026-03-26 05:55:15 +00:00 · 2026-03-21 03:38:38 +05:00
parent 06d6db5a07
commit 715a8f421a
2 changed files with 45 additions and 0 deletions
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -197,6 +197,10 @@ module Spree
      can [:admin, :index, :destroy], :oidc_setting

      can [:admin, :create], Voucher
+
+      can [:admin, :destroy], EnterpriseRole do |enterprise_role|
+        enterprise_role.enterprise.owner_id == user.id
+      end
    end

    def add_product_management_abilities(user)
--- a/spec/system/admin/enterprises_spec.rb
+++ b/spec/system/admin/enterprises_spec.rb
@@ -885,6 +885,47 @@ RSpec.describe '
        end
      end
    end
+
+    describe "removing enterprise managers" do
+      let(:existing_user) { create(:user) }
+
+      before do
+        distributor1.users << existing_user
+        login_as logged_in_user
+        visit edit_admin_enterprise_path(distributor1)
+        scroll_to(:bottom)
+        within ".side_menu" do
+          find(:link, "Users").trigger("click")
+        end
+      end
+
+      context "as the enterprise owner" do
+        let(:logged_in_user) { distributor1.owner }
+
+        it 'removes the manager as enterprise owner' do
+          expect(page).to have_content existing_user.email
+
+          within "#manager-#{existing_user.id}" do
+            accept_confirm do
+              page.find("a.icon-trash").click
+            end
+          end
+
+          expect(page).not_to have_content existing_user.email
+        end
+      end
+
+      context "as the enterprise manager" do
+        let(:logged_in_user) { existing_user }
+
+        it "is unable delete any other manager" do
+          expect(page).to have_content existing_user.email
+          within('.edit_enterprise') do
+            expect(page).not_to have_selector('a.icon-trash')
+          end
+        end
+      end
+    end
  end

  context "changing package" do