From 85db8859bbab3886760578f5dcbc55a9c457b7f3 Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Thu, 24 Apr 2014 15:51:39 +1000
Subject: [PATCH] On admin order cycle edit page, do not show exchanges for
 enterprises the user doesn't manage

---
 app/models/exchange.rb                   | 13 +++++++++
 app/views/admin/order_cycles/show.rep    |  2 +-
 spec/features/admin/order_cycles_spec.rb | 14 +++++++--
 spec/models/exchange_spec.rb             | 37 ++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/app/models/exchange.rb b/app/models/exchange.rb
index 122586ba96..18c3f81447 100644
--- a/app/models/exchange.rb
+++ b/app/models/exchange.rb
@@ -28,6 +28,19 @@ class Exchange < ActiveRecord::Base
   scope :with_product, lambda { |product| joins(:exchange_variants).where('exchange_variants.variant_id IN (?)', product.variants_including_master) }
 
 
+  scope :managed_by, lambda { |user|
+    if user.has_spree_role?('admin')
+      scoped
+    else
+      joins('LEFT JOIN enterprises senders ON senders.id = exchanges.sender_id').
+        joins('LEFT JOIN enterprises receivers ON receivers.id = exchanges.receiver_id').
+        joins('LEFT JOIN enterprise_roles sender_roles ON sender_roles.enterprise_id = senders.id').
+        joins('LEFT JOIN enterprise_roles receiver_roles ON receiver_roles.enterprise_id = receivers.id').
+        where('sender_roles.user_id = ? AND receiver_roles.user_id = ?', user.id, user.id)
+    end
+  }
+
+
   def clone!(new_order_cycle)
     exchange = self.dup
     exchange.order_cycle = new_order_cycle
diff --git a/app/views/admin/order_cycles/show.rep b/app/views/admin/order_cycles/show.rep
index 1f91cbe3e9..04fc659813 100644
--- a/app/views/admin/order_cycles/show.rep
+++ b/app/views/admin/order_cycles/show.rep
@@ -9,7 +9,7 @@ r.element :order_cycle, @order_cycle do
     r.element :id
   end
 
-  r.list_of :exchanges, @order_cycle.exchanges.order('id ASC') do |exchange|
+  r.list_of :exchanges, @order_cycle.exchanges.managed_by(spree_current_user).order('id ASC') do |exchange|
     r.element :id
     r.element :sender_id
     r.element :receiver_id
diff --git a/spec/features/admin/order_cycles_spec.rb b/spec/features/admin/order_cycles_spec.rb
index 0244bc434e..7d5ad9a4ec 100644
--- a/spec/features/admin/order_cycles_spec.rb
+++ b/spec/features/admin/order_cycles_spec.rb
@@ -217,11 +217,11 @@ feature %q{
     end
 
     # And the distributors should have fees
-    distributor = oc.distributors.sort_by(&:name).first
+    distributor = oc.distributors.sort_by(&:id).first
     page.should have_select 'order_cycle_outgoing_exchange_0_enterprise_fees_0_enterprise_id', selected: distributor.name
     page.should have_select 'order_cycle_outgoing_exchange_0_enterprise_fees_0_enterprise_fee_id', selected: distributor.enterprise_fees.first.name
 
-    distributor = oc.distributors.sort_by(&:name).last
+    distributor = oc.distributors.sort_by(&:id).last
     page.should have_select 'order_cycle_outgoing_exchange_1_enterprise_fees_0_enterprise_id', selected: distributor.name
     page.should have_select 'order_cycle_outgoing_exchange_1_enterprise_fees_0_enterprise_fee_id', selected: distributor.enterprise_fees.first.name
   end
@@ -515,6 +515,16 @@ feature %q{
       order_cycle.coordinator.should == distributor1
     end
 
+    scenario "editing an order cycle" do
+      oc = create(:simple_order_cycle, { suppliers: [supplier1, supplier2], coordinator: supplier1, distributors: [distributor1, distributor2], name: 'Order Cycle 1' } )
+
+      visit edit_admin_order_cycle_path(oc)
+
+      # I should not see exchanges for supplier2 or distributor2
+      page.all('tr.supplier').count.should == 1
+      page.all('tr.distributor').count.should == 1
+    end
+
     scenario "cloning an order cycle" do
       oc = create(:simple_order_cycle)
 
diff --git a/spec/models/exchange_spec.rb b/spec/models/exchange_spec.rb
index 9614a4d357..ed6cdbfc93 100644
--- a/spec/models/exchange_spec.rb
+++ b/spec/models/exchange_spec.rb
@@ -85,6 +85,43 @@ describe Exchange do
     let(:distributor) { create(:distributor_enterprise) }
     let(:oc) { create(:simple_order_cycle, coordinator: coordinator) }
 
+    describe "finding exchanges managed by a particular user" do
+      let(:user) do
+        user = create(:user)
+        user.spree_roles = []
+        user
+      end
+
+      before { Exchange.destroy_all }
+
+      it "returns exchanges where the user manages both the sender and the receiver" do
+        exchange = create(:exchange, order_cycle: oc)
+        exchange.sender.users << user
+        exchange.receiver.users << user
+
+        Exchange.managed_by(user).should == [exchange]
+      end
+
+      it "does not return exchanges where the user manages only the sender" do
+        exchange = create(:exchange, order_cycle: oc)
+        exchange.sender.users << user
+
+        Exchange.managed_by(user).should be_empty
+      end
+
+      it "does not return exchanges where the user manages only the receiver" do
+        exchange = create(:exchange, order_cycle: oc)
+        exchange.receiver.users << user
+
+        Exchange.managed_by(user).should be_empty
+      end
+
+      it "does not return exchanges where the user manages neither enterprise" do
+        exchange = create(:exchange, order_cycle: oc)
+        Exchange.managed_by(user).should be_empty
+      end
+    end
+
     it "finds exchanges in a particular order cycle" do
       ex = create(:exchange, order_cycle: oc)
       Exchange.in_order_cycle(oc).should == [ex]