On admin order cycle edit page, do not show exchanges for enterprises the user doesn't manage

2026-02-27 01:43:22 +00:00 · 2014-04-24 15:51:39 +10:00
parent 2603256a17
commit 85db8859bb
4 changed files with 63 additions and 3 deletions
--- a/app/models/exchange.rb
+++ b/app/models/exchange.rb
@@ -28,6 +28,19 @@ class Exchange < ActiveRecord::Base
  scope :with_product, lambda { |product| joins(:exchange_variants).where('exchange_variants.variant_id IN (?)', product.variants_including_master) }


+  scope :managed_by, lambda { |user|
+    if user.has_spree_role?('admin')
+      scoped
+    else
+      joins('LEFT JOIN enterprises senders ON senders.id = exchanges.sender_id').
+        joins('LEFT JOIN enterprises receivers ON receivers.id = exchanges.receiver_id').
+        joins('LEFT JOIN enterprise_roles sender_roles ON sender_roles.enterprise_id = senders.id').
+        joins('LEFT JOIN enterprise_roles receiver_roles ON receiver_roles.enterprise_id = receivers.id').
+        where('sender_roles.user_id = ? AND receiver_roles.user_id = ?', user.id, user.id)
+    end
+  }
+
+
  def clone!(new_order_cycle)
    exchange = self.dup
    exchange.order_cycle = new_order_cycle
--- a/app/views/admin/order_cycles/show.rep
+++ b/app/views/admin/order_cycles/show.rep
@@ -9,7 +9,7 @@ r.element :order_cycle, @order_cycle do
    r.element :id
  end

-  r.list_of :exchanges, @order_cycle.exchanges.order('id ASC') do |exchange|
+  r.list_of :exchanges, @order_cycle.exchanges.managed_by(spree_current_user).order('id ASC') do |exchange|
    r.element :id
    r.element :sender_id
    r.element :receiver_id
--- a/spec/features/admin/order_cycles_spec.rb
+++ b/spec/features/admin/order_cycles_spec.rb
@@ -217,11 +217,11 @@ feature %q{
    end

    # And the distributors should have fees
-    distributor = oc.distributors.sort_by(&:name).first
+    distributor = oc.distributors.sort_by(&:id).first
    page.should have_select 'order_cycle_outgoing_exchange_0_enterprise_fees_0_enterprise_id', selected: distributor.name
    page.should have_select 'order_cycle_outgoing_exchange_0_enterprise_fees_0_enterprise_fee_id', selected: distributor.enterprise_fees.first.name

-    distributor = oc.distributors.sort_by(&:name).last
+    distributor = oc.distributors.sort_by(&:id).last
    page.should have_select 'order_cycle_outgoing_exchange_1_enterprise_fees_0_enterprise_id', selected: distributor.name
    page.should have_select 'order_cycle_outgoing_exchange_1_enterprise_fees_0_enterprise_fee_id', selected: distributor.enterprise_fees.first.name
  end
@@ -515,6 +515,16 @@ feature %q{
      order_cycle.coordinator.should == distributor1
    end

+    scenario "editing an order cycle" do
+      oc = create(:simple_order_cycle, { suppliers: [supplier1, supplier2], coordinator: supplier1, distributors: [distributor1, distributor2], name: 'Order Cycle 1' } )
+
+      visit edit_admin_order_cycle_path(oc)
+
+      # I should not see exchanges for supplier2 or distributor2
+      page.all('tr.supplier').count.should == 1
+      page.all('tr.distributor').count.should == 1
+    end
+
    scenario "cloning an order cycle" do
      oc = create(:simple_order_cycle)

--- a/spec/models/exchange_spec.rb
+++ b/spec/models/exchange_spec.rb
@@ -85,6 +85,43 @@ describe Exchange do
    let(:distributor) { create(:distributor_enterprise) }
    let(:oc) { create(:simple_order_cycle, coordinator: coordinator) }

+    describe "finding exchanges managed by a particular user" do
+      let(:user) do
+        user = create(:user)
+        user.spree_roles = []
+        user
+      end
+
+      before { Exchange.destroy_all }
+
+      it "returns exchanges where the user manages both the sender and the receiver" do
+        exchange = create(:exchange, order_cycle: oc)
+        exchange.sender.users << user
+        exchange.receiver.users << user
+
+        Exchange.managed_by(user).should == [exchange]
+      end
+
+      it "does not return exchanges where the user manages only the sender" do
+        exchange = create(:exchange, order_cycle: oc)
+        exchange.sender.users << user
+
+        Exchange.managed_by(user).should be_empty
+      end
+
+      it "does not return exchanges where the user manages only the receiver" do
+        exchange = create(:exchange, order_cycle: oc)
+        exchange.receiver.users << user
+
+        Exchange.managed_by(user).should be_empty
+      end
+
+      it "does not return exchanges where the user manages neither enterprise" do
+        exchange = create(:exchange, order_cycle: oc)
+        Exchange.managed_by(user).should be_empty
+      end
+    end
+
    it "finds exchanges in a particular order cycle" do
      ex = create(:exchange, order_cycle: oc)
      Exchange.in_order_cycle(oc).should == [ex]