From 7a23f671a2bedb86ee66ab7b93fc7023754aaf96 Mon Sep 17 00:00:00 2001 From: Rob Harrington Date: Thu, 19 Nov 2015 14:58:13 +1100 Subject: [PATCH] Restricting access to orders within Sales Tax Report Managers of suppliers should not be able to generate sales tax reports for orders they only supply products for --- .../spree/admin/reports_controller_decorator.rb | 6 ++---- .../spree/admin/reports/sales_tax.html.haml | 3 +-- lib/open_food_network/sales_tax_report.rb | 17 ++++++++++++++--- .../open_food_network/sales_tax_report_spec.rb | 3 ++- 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/app/controllers/spree/admin/reports_controller_decorator.rb b/app/controllers/spree/admin/reports_controller_decorator.rb index 97d671fd48..e38e0bb395 100644 --- a/app/controllers/spree/admin/reports_controller_decorator.rb +++ b/app/controllers/spree/admin/reports_controller_decorator.rb @@ -158,12 +158,10 @@ Spree::Admin::ReportsController.class_eval do def sales_tax prepare_date_params params - - @search = Spree::Order.complete.not_state(:canceled).managed_by(spree_current_user).search(params[:q]) - orders = @search.result @distributors = Enterprise.is_distributor.managed_by(spree_current_user) - @report = OpenFoodNetwork::SalesTaxReport.new orders + @report = OpenFoodNetwork::SalesTaxReport.new spree_current_user, params + unless params[:csv] render :html => @report else diff --git a/app/views/spree/admin/reports/sales_tax.html.haml b/app/views/spree/admin/reports/sales_tax.html.haml index a7b3d9275d..b0a115a74b 100644 --- a/app/views/spree/admin/reports/sales_tax.html.haml +++ b/app/views/spree/admin/reports/sales_tax.html.haml @@ -1,4 +1,4 @@ -= form_for @search, :url => spree.sales_tax_admin_reports_path do |f| += form_for @report.search, :url => spree.sales_tax_admin_reports_path do |f| = render 'date_range_form', f: f .row @@ -29,4 +29,3 @@ - if @report.table.empty? %tr %td{:colspan => @report.header.count}= t(:none) - diff --git a/lib/open_food_network/sales_tax_report.rb b/lib/open_food_network/sales_tax_report.rb index 46e2cd234e..0d41b24ec1 100644 --- a/lib/open_food_network/sales_tax_report.rb +++ b/lib/open_food_network/sales_tax_report.rb @@ -1,9 +1,11 @@ module OpenFoodNetwork class SalesTaxReport include Spree::ReportsHelper + attr_accessor :user, :params - def initialize orders - @orders = orders + def initialize(user, params) + @user = user + @params = params end def header @@ -12,8 +14,17 @@ module OpenFoodNetwork "Total Tax (#{currency_symbol})", "Customer", "Distributor"] end + def search + permissions = OpenFoodNetwork::Permissions.new(user) + permissions.editable_orders.complete.not_state(:canceled).search(params[:q]) + end + + def orders + search.result + end + def table - @orders.map do |order| + orders.map do |order| totals = totals_of order.line_items shipping_cost = shipping_cost_for order diff --git a/spec/lib/open_food_network/sales_tax_report_spec.rb b/spec/lib/open_food_network/sales_tax_report_spec.rb index 00640d8f08..a6445fa1f9 100644 --- a/spec/lib/open_food_network/sales_tax_report_spec.rb +++ b/spec/lib/open_food_network/sales_tax_report_spec.rb @@ -2,7 +2,8 @@ require 'open_food_network/sales_tax_report' module OpenFoodNetwork describe SalesTaxReport do - let(:report) { SalesTaxReport.new(nil) } + let(:user) { create(:user) } + let(:report) { SalesTaxReport.new(user, {}) } describe "calculating totals for line items" do let(:li1) { double(:line_item, quantity: 1, amount: 12) }