Ensure Supplier enterprise users can only view their own products in reports

2026-03-13 04:00:21 +00:00 · 2013-08-30 15:17:27 +10:00
parent 9de5a0061e
commit 80bfc5ce53
4 changed files with 149 additions and 76 deletions
--- a/app/models/spree/line_item_decorator.rb
+++ b/app/models/spree/line_item_decorator.rb
@@ -1,3 +1,17 @@
 Spree::LineItem.class_eval do
  attr_accessible :max_quantity
+
+  # -- Scopes
+  scope :managed_by, lambda { |user|
+    if user.has_spree_role?('admin')
+      scoped
+    else
+      # User has a distributor on the Order or supplier that supplies a LineItem
+      joins('LEFT OUTER JOIN spree_variants ON (spree_variants.id = spree_line_items.variant_id)').
+      joins('LEFT OUTER JOIN spree_products ON (spree_products.id = spree_variants.product_id)').
+      joins(:order).
+      where('spree_orders.distributor_id IN (?) OR spree_products.supplier_id IN (?)', user.enterprises, user.enterprises).
+      select('spree_line_items.*')
+    end
+  }
 end
--- a/app/models/spree/order_decorator.rb
+++ b/app/models/spree/order_decorator.rb
@@ -20,7 +20,13 @@ Spree::Order.class_eval do
    if user.has_spree_role?('admin')
      scoped
    else
-      where('distributor_id IN (?)', user.enterprises)
+      # User has a distributor on an Order or supplier that supplies a Product to an Order
+      # NOTE: supplier Orders should use LineItem.managed_by to ensure they only see their own LineItems!
+      joins('LEFT OUTER JOIN spree_line_items ON (spree_line_items.order_id = spree_orders.id)').
+      joins('LEFT OUTER JOIN spree_variants ON (spree_variants.id = spree_line_items.variant_id)').
+      joins('LEFT OUTER JOIN spree_products ON (spree_products.id = spree_variants.product_id)').
+      where('spree_orders.distributor_id IN (?) OR spree_products.supplier_id IN (?)', user.enterprises, user.enterprises).
+      select('DISTINCT spree_orders.*')
    end
  }