Restricting access to orders within Sales Tax Report

Managers of suppliers should not be able to generate sales tax reports for orders they only supply products for
2026-02-06 22:36:07 +00:00 · 2015-11-19 14:58:13 +11:00
parent d115eb816e
commit 7a23f671a2
4 changed files with 19 additions and 10 deletions
--- a/app/controllers/spree/admin/reports_controller_decorator.rb
+++ b/app/controllers/spree/admin/reports_controller_decorator.rb
@@ -158,12 +158,10 @@ Spree::Admin::ReportsController.class_eval do

  def sales_tax
    prepare_date_params params
-
-    @search = Spree::Order.complete.not_state(:canceled).managed_by(spree_current_user).search(params[:q])
-    orders = @search.result
    @distributors = Enterprise.is_distributor.managed_by(spree_current_user)

-    @report = OpenFoodNetwork::SalesTaxReport.new orders
+    @report = OpenFoodNetwork::SalesTaxReport.new spree_current_user, params
+
    unless params[:csv]
      render :html => @report
    else
--- a/app/views/spree/admin/reports/sales_tax.html.haml
+++ b/app/views/spree/admin/reports/sales_tax.html.haml
@@ -1,4 +1,4 @@
-= form_for @search, :url => spree.sales_tax_admin_reports_path do |f|
+= form_for @report.search, :url => spree.sales_tax_admin_reports_path do |f|
  = render 'date_range_form', f: f

  .row
@@ -29,4 +29,3 @@
    - if @report.table.empty?
      %tr
        %td{:colspan => @report.header.count}= t(:none)
-
--- a/lib/open_food_network/sales_tax_report.rb
+++ b/lib/open_food_network/sales_tax_report.rb
@@ -1,9 +1,11 @@
 module OpenFoodNetwork
  class SalesTaxReport
    include Spree::ReportsHelper
+    attr_accessor :user, :params

-    def initialize orders
-      @orders = orders
+    def initialize(user, params)
+      @user = user
+      @params = params
    end

    def header
@@ -12,8 +14,17 @@ module OpenFoodNetwork
        "Total Tax (#{currency_symbol})", "Customer", "Distributor"]
    end

+    def search
+      permissions = OpenFoodNetwork::Permissions.new(user)
+      permissions.editable_orders.complete.not_state(:canceled).search(params[:q])
+    end
+
+    def orders
+      search.result
+    end
+
    def table
-      @orders.map do |order|
+      orders.map do |order|
        totals = totals_of order.line_items
        shipping_cost = shipping_cost_for order

--- a/spec/lib/open_food_network/sales_tax_report_spec.rb
+++ b/spec/lib/open_food_network/sales_tax_report_spec.rb
@@ -2,7 +2,8 @@ require 'open_food_network/sales_tax_report'

 module OpenFoodNetwork
  describe SalesTaxReport do
-    let(:report) { SalesTaxReport.new(nil) }
+    let(:user) { create(:user) }
+    let(:report) { SalesTaxReport.new(user, {}) }

    describe "calculating totals for line items" do
      let(:li1) { double(:line_item, quantity: 1, amount: 12) }