raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-02-28 01:53:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enterprise users are aurthorised to view BOM

Browse Source
This commit is contained in:
Rob H
2014-04-04 09:11:56 +11:00
parent 00df441bc2
commit 8e54bf1e2e
7 changed files with 51 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/admin/bulk_order_management.js.coffee
View File

@@ -167,7 +167,7 @@ orderManagementModule.controller "AdminOrderMgmtCtrl", [
$scope.fetchOrders = ->
$scope.loading = true
dataFetcher("/api/orders?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=#{$scope.startDate}&q[completed_at_lt]=#{$scope.endDate}").then (data) ->
dataFetcher("/api/orders/managed?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=#{$scope.startDate}&q[completed_at_lt]=#{$scope.endDate}").then (data) ->
$scope.resetOrders data
$scope.loading = false

5
app/controllers/spree/admin/orders_controller_decorator.rb
View File

@@ -1,6 +1,11 @@
Spree::Admin::OrdersController.class_eval do
before_filter :load_spree_api_key, :only => :bulk_management
# We need to add expections for collection actions other than :index here
# because spree_auth_devise causes load_order to be called, which results
# in an auth failure as the @order object is nil for collection actions
before_filter :check_authorization, :except => :bulk_management
respond_override :index => { :html =>
{ :success => lambda {
# Filter orders to only show those distributed by current user (or all for admin user)

13
app/controllers/spree/api/orders_controller_decorator.rb Normal file
View File

@@ -0,0 +1,13 @@
Spree::Api::OrdersController.class_eval do
# We need to add expections for collection actions other than :index here
# because Spree's API controller causes authorize_read! to be called, which
# results in an ActiveRecord::NotFound Exception as the order object is not
# defined for collection actions
before_filter :authorize_read!, :except => [:managed]
def managed
@orders = Spree::Order.ransack(params[:q]).result.managed_by(current_api_user).page(params[:page]).per(params[:per_page])
respond_with(@orders, default_template: :index)
end
end

2
app/models/spree/ability_decorator.rb
View File

@@ -23,7 +23,7 @@ class AbilityDecorator
# Enterprise User can only access orders that they are a distributor for
can [:index, :create], Spree::Order
can [:admin, :read, :update, :fire, :resend], Spree::Order do |order|
can [:admin, :read, :update, :bulk_management, :fire, :resend], Spree::Order do |order|
# We allow editing orders with a nil distributor as this state occurs
# during the order creation process from the admin backend
order.distributor.nil? || user.enterprises.include?(order.distributor)

4
config/routes.rb
View File

@@ -104,6 +104,10 @@ Spree::Core::Engine.routes.prepend do
get :managed, on: :collection
end
resources :orders do
get :managed, on: :collection
end
resources :enterprises do
get :managed, on: :collection
end

26
spec/features/admin/bulk_order_management_spec.rb
View File

@@ -575,4 +575,30 @@ feature %q{
end
end
end
context "as an enterprise manager" do
let(:s1) { create(:supplier_enterprise, name: 'First Supplier') }
let(:s2) { create(:supplier_enterprise, name: 'Another Supplier') }
let(:d1) { create(:distributor_enterprise, name: 'First Distributor') }
let(:d2) { create(:distributor_enterprise, name: 'Another Distributor') }
let!(:o1) { FactoryGirl.create(:order, state: 'complete', completed_at: Time.now, distributor: d1 ) }
let!(:o2) { FactoryGirl.create(:order, state: 'complete', completed_at: Time.now, distributor: d2 ) }
let!(:line_item_distributed) { FactoryGirl.create(:line_item, order: o1 ) }
let!(:line_item_not_distributed) { FactoryGirl.create(:line_item, order: o2 ) }
before(:each) do
@enterprise_user = create_enterprise_user
@enterprise_user.enterprise_roles.build(enterprise: s1).save
@enterprise_user.enterprise_roles.build(enterprise: d1).save
login_to_admin_as @enterprise_user
end
it "shows only line item from orders that I supply" do
visit '/admin/orders/bulk_management'
page.should have_selector "tr#li_#{line_item_distributed.id}", :visible => true
page.should_not have_selector "tr#li_#{line_item_not_distributed.id}", :visible => true
end
end
end

2
spec/javascripts/unit/bulk_order_management_spec.js.coffee
View File

@@ -41,7 +41,7 @@ describe "AdminOrderMgmtCtrl", ->
describe "fetching orders", ->
beforeEach ->
scope.initialiseVariables()
httpBackend.expectGET("/api/orders?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=SomeDate&q[completed_at_lt]=SomeDate").respond "list of orders"
httpBackend.expectGET("/api/orders/managed?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=SomeDate&q[completed_at_lt]=SomeDate").respond "list of orders"
it "makes a call to dataFetcher, with current start and end date parameters", ->
scope.fetchOrders()