Ensure Supplier enterprise users can only view their own products in reports

app/controllers/spree/admin/reports_controller_decorator.rb

@@ -87,7 +87,7 @@ Spree::Admin::ReportsController.class_eval do
 
     @search = Spree::Order.complete.managed_by(spree_current_user).search(params[:q])
     orders = @search.result
-    line_items = orders.map { |o| o.line_items }.flatten
+    @line_items = orders.map { |o| o.line_items.managed_by(spree_current_user) }.flatten
 
     @distributors = Enterprise.is_distributor.managed_by(spree_current_user)
     @report_type = params[:report_type]
@@ -217,7 +217,7 @@ Spree::Admin::ReportsController.class_eval do
     order_grouper = OpenFoodWeb::OrderGrouper.new rules, columns
 
     @header = header
-    @table = order_grouper.table(line_items)
+    @table = order_grouper.table(@line_items)
     csv_file_name = "bulk_coop.csv"
 
     render_report(@header, @table, params[:csv], csv_file_name)
@@ -343,9 +343,9 @@ Spree::Admin::ReportsController.class_eval do
 
     @search = Spree::Order.complete.managed_by(spree_current_user).search(params[:q])
     orders = @search.result
-    line_items = orders.map { |o| o.line_items }.flatten
+    @line_items = orders.map { |o| o.line_items.managed_by(spree_current_user) }.flatten
     #payments = orders.map { |o| o.payments.select { |payment| payment.completed? } }.flatten # Only select completed payments
-
+    
     @distributors = Enterprise.is_distributor.managed_by(spree_current_user)
     #@suppliers = Enterprise.is_primary_producer
     @order_cycles = OrderCycle.active_or_complete.order('orders_close_at DESC')
@@ -353,7 +353,7 @@ Spree::Admin::ReportsController.class_eval do
 
     case params[:report_type]
     when "order_cycle_supplier_totals"
-      table_items = line_items
+      table_items = @line_items
       @include_blank = 'All'
 
       header = ["Supplier", "Product", "Variant", "Amount", "Cost per Unit", "Total Cost", "Status", "Incoming Transport"]
@@ -375,7 +375,7 @@ Spree::Admin::ReportsController.class_eval do
           sort_by: proc { |variant| variant.options_text } } ]
 
     when "order_cycle_supplier_totals_by_distributor"
-      table_items = line_items
+      table_items = @line_items
       @include_blank = 'All'
 
       header = ["Supplier", "Product", "Variant", "To Distributor", "Amount", "Cost per Unit", "Total Cost", "Shipping Method"]
@@ -407,7 +407,7 @@ Spree::Admin::ReportsController.class_eval do
         sort_by: proc { |distributor| distributor.name } } ]
 
     when "order_cycle_distributor_totals_by_supplier"
-      table_items = line_items
+      table_items = @line_items
       @include_blank = 'All'
 
       header = ["Distributor", "Supplier", "Product", "Variant", "Amount", "Cost per Unit", "Total Cost", "Total Shipping Cost", "Shipping Method"]
@@ -441,7 +441,7 @@ Spree::Admin::ReportsController.class_eval do
         sort_by: proc { |variant| variant.options_text } } ]
 
     when "order_cycle_customer_totals"
-      table_items = line_items
+      table_items = @line_items
       @include_blank = 'All'
 
       header = ["Distributor", "Customer", "Email", "Phone", "Product", "Variant", "Amount", "Item ($)", "Ship ($)", "Total ($)", "Paid?", "Packed?", "Shipped?"]
@@ -483,7 +483,7 @@ Spree::Admin::ReportsController.class_eval do
        sort_by: proc { |variant| variant.options_text } } ]
 
     else
-      table_items = line_items
+      table_items = @line_items
       @include_blank = 'All'
 
       header = ["Supplier", "Product", "Variant", "Amount", "Cost per Unit", "Total Cost", "Status", "Incoming Transport"]

app/models/spree/line_item_decorator.rb

@@ -1,3 +1,17 @@
 Spree::LineItem.class_eval do
   attr_accessible :max_quantity
+
+  # -- Scopes
+  scope :managed_by, lambda { |user|
+    if user.has_spree_role?('admin')
+      scoped
+    else
+      # User has a distributor on the Order or supplier that supplies a LineItem
+      joins('LEFT OUTER JOIN spree_variants ON (spree_variants.id = spree_line_items.variant_id)').
+      joins('LEFT OUTER JOIN spree_products ON (spree_products.id = spree_variants.product_id)').
+      joins(:order).
+      where('spree_orders.distributor_id IN (?) OR spree_products.supplier_id IN (?)', user.enterprises, user.enterprises).
+      select('spree_line_items.*')
+    end
+  }
 end

app/models/spree/order_decorator.rb

@@ -20,7 +20,13 @@ Spree::Order.class_eval do
     if user.has_spree_role?('admin')
       scoped
     else
-      where('distributor_id IN (?)', user.enterprises)
+      # User has a distributor on an Order or supplier that supplies a Product to an Order
+      # NOTE: supplier Orders should use LineItem.managed_by to ensure they only see their own LineItems!
+      joins('LEFT OUTER JOIN spree_line_items ON (spree_line_items.order_id = spree_orders.id)').
+      joins('LEFT OUTER JOIN spree_variants ON (spree_variants.id = spree_line_items.variant_id)').
+      joins('LEFT OUTER JOIN spree_products ON (spree_products.id = spree_variants.product_id)').
+      where('spree_orders.distributor_id IN (?) OR spree_products.supplier_id IN (?)', user.enterprises, user.enterprises).
+      select('DISTINCT spree_orders.*')
     end
   }