Admin can access variant override only when it can add hub to order cycle and it can create variant overrides for the producer of the variant

2026-03-14 04:04:23 +00:00 · 2015-02-04 11:09:48 +11:00
parent 22f6ece83f
commit 7ca9670073
2 changed files with 23 additions and 5 deletions
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -78,9 +78,15 @@ class AbilityDecorator
    end

    can [:admin, :index, :read, :update, :bulk_update], VariantOverride do |vo|
-      OpenFoodNetwork::Permissions.new(user).
+      hub_auth = OpenFoodNetwork::Permissions.new(user).
        order_cycle_enterprises.is_distributor.
        include? vo.hub
+
+      producer_auth = OpenFoodNetwork::Permissions.new(user).
+        variant_override_producers.
+        include? vo.variant.product.supplier
+
+      hub_auth && producer_auth
    end

    can [:admin, :index, :read, :create, :edit, :update_positions, :destroy], Spree::ProductProperty
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -239,9 +239,6 @@ module Spree
          o
        end

-        let(:vo1) { create(:variant_override, hub: d1, variant: p1.master) }
-        let(:vo2) { create(:variant_override, hub: d2, variant: p2.master) }
-
        describe "editing enterprises" do
          let!(:d_related) { create(:distributor_enterprise) }
          let!(:er_pd) { create(:enterprise_relationship, parent: d_related, child: d1, permissions_list: [:edit_profile]) }
@@ -264,6 +261,13 @@ module Spree
        end

        describe "variant overrides" do
+          let(:vo1) { create(:variant_override, hub: d1, variant: p1.master) }
+          let(:vo2) { create(:variant_override, hub: d1, variant: p2.master) }
+          let(:vo3) { create(:variant_override, hub: d2, variant: p1.master) }
+          let(:vo4) { create(:variant_override, hub: d2, variant: p2.master) }
+
+          let!(:er1) { create(:enterprise_relationship, parent: s1, child: d1, permissions_list: [:create_variant_overrides]) }
+
          it "should be able to access variant overrides page" do
            should have_ability([:admin, :index, :bulk_update], for: VariantOverride)
          end
@@ -272,9 +276,17 @@ module Spree
            should have_ability([:admin, :index, :read, :update], for: vo1)
          end

-          it "should not be able to read/write other enterprises' variant overrides" do
+          it "should not be able to read/write variant overrides when producer of product hasn't granted permission" do
            should_not have_ability([:admin, :index, :read, :update], for: vo2)
          end
+
+          it "should not be able to read/write variant overrides when we can't add hub to order cycle" do
+            should_not have_ability([:admin, :index, :read, :update], for: vo3)
+          end
+
+          it "should not be able to read/write other enterprises' variant overrides" do
+            should_not have_ability([:admin, :index, :read, :update], for: vo4)
+          end
        end

        it "should be able to read/write their enterprises' orders" do