From 8e54bf1e2ec0a234d0f777cbadf8ff4b50de585c Mon Sep 17 00:00:00 2001
From: Rob H <oeoeaio@gmail.com>
Date: Fri, 4 Apr 2014 09:11:56 +1100
Subject: [PATCH] Enterprise users are aurthorised to view BOM

---
 .../admin/bulk_order_management.js.coffee     |  2 +-
 .../admin/orders_controller_decorator.rb      |  5 ++++
 .../spree/api/orders_controller_decorator.rb  | 13 ++++++++++
 app/models/spree/ability_decorator.rb         |  2 +-
 config/routes.rb                              |  4 +++
 .../admin/bulk_order_management_spec.rb       | 26 +++++++++++++++++++
 .../unit/bulk_order_management_spec.js.coffee |  2 +-
 7 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 app/controllers/spree/api/orders_controller_decorator.rb

diff --git a/app/assets/javascripts/admin/bulk_order_management.js.coffee b/app/assets/javascripts/admin/bulk_order_management.js.coffee
index 22cc1660cf..dbd1015f83 100644
--- a/app/assets/javascripts/admin/bulk_order_management.js.coffee
+++ b/app/assets/javascripts/admin/bulk_order_management.js.coffee
@@ -167,7 +167,7 @@ orderManagementModule.controller "AdminOrderMgmtCtrl", [
 
     $scope.fetchOrders = ->
       $scope.loading = true
-      dataFetcher("/api/orders?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=#{$scope.startDate}&q[completed_at_lt]=#{$scope.endDate}").then (data) ->
+      dataFetcher("/api/orders/managed?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=#{$scope.startDate}&q[completed_at_lt]=#{$scope.endDate}").then (data) ->
         $scope.resetOrders data
         $scope.loading = false
 
diff --git a/app/controllers/spree/admin/orders_controller_decorator.rb b/app/controllers/spree/admin/orders_controller_decorator.rb
index 089614e7c9..51c7acba09 100644
--- a/app/controllers/spree/admin/orders_controller_decorator.rb
+++ b/app/controllers/spree/admin/orders_controller_decorator.rb
@@ -1,6 +1,11 @@
 Spree::Admin::OrdersController.class_eval do
   before_filter :load_spree_api_key, :only => :bulk_management
 
+  # We need to add expections for collection actions other than :index here
+  # because spree_auth_devise causes load_order to be called, which results
+  # in an auth failure as the @order object is nil for collection actions
+  before_filter :check_authorization, :except => :bulk_management
+
   respond_override :index => { :html =>
     { :success => lambda { 
       # Filter orders to only show those distributed by current user (or all for admin user)
diff --git a/app/controllers/spree/api/orders_controller_decorator.rb b/app/controllers/spree/api/orders_controller_decorator.rb
new file mode 100644
index 0000000000..4f3c5c8c77
--- /dev/null
+++ b/app/controllers/spree/api/orders_controller_decorator.rb
@@ -0,0 +1,13 @@
+Spree::Api::OrdersController.class_eval do
+
+  # We need to add expections for collection actions other than :index here
+  # because Spree's API controller causes authorize_read! to be called, which
+  # results in an ActiveRecord::NotFound Exception as the order object is not
+  # defined for collection actions
+  before_filter :authorize_read!, :except => [:managed]
+
+  def managed
+    @orders = Spree::Order.ransack(params[:q]).result.managed_by(current_api_user).page(params[:page]).per(params[:per_page])
+    respond_with(@orders, default_template: :index)
+  end
+end
\ No newline at end of file
diff --git a/app/models/spree/ability_decorator.rb b/app/models/spree/ability_decorator.rb
index 83a4e5e0aa..75c89d8664 100644
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -23,7 +23,7 @@ class AbilityDecorator
 
       # Enterprise User can only access orders that they are a distributor for
       can [:index, :create], Spree::Order
-      can [:admin, :read, :update, :fire, :resend], Spree::Order do |order|
+      can [:admin, :read, :update, :bulk_management, :fire, :resend], Spree::Order do |order|
         # We allow editing orders with a nil distributor as this state occurs
         # during the order creation process from the admin backend
         order.distributor.nil? || user.enterprises.include?(order.distributor)
diff --git a/config/routes.rb b/config/routes.rb
index 0e3db0bd35..a218fb145e 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -104,6 +104,10 @@ Spree::Core::Engine.routes.prepend do
       get :managed, on: :collection
     end
 
+    resources :orders do
+      get :managed, on: :collection
+    end
+
     resources :enterprises do
       get :managed, on: :collection
     end
diff --git a/spec/features/admin/bulk_order_management_spec.rb b/spec/features/admin/bulk_order_management_spec.rb
index 48493130a6..0624d5fa97 100644
--- a/spec/features/admin/bulk_order_management_spec.rb
+++ b/spec/features/admin/bulk_order_management_spec.rb
@@ -575,4 +575,30 @@ feature %q{
       end
     end
   end
+
+  context "as an enterprise manager" do
+    let(:s1) { create(:supplier_enterprise, name: 'First Supplier') }
+    let(:s2) { create(:supplier_enterprise, name: 'Another Supplier') }
+    let(:d1) { create(:distributor_enterprise, name: 'First Distributor') }
+    let(:d2) { create(:distributor_enterprise, name: 'Another Distributor') }
+    let!(:o1) { FactoryGirl.create(:order, state: 'complete', completed_at: Time.now, distributor: d1 ) }
+    let!(:o2) { FactoryGirl.create(:order, state: 'complete', completed_at: Time.now, distributor: d2 ) }
+    let!(:line_item_distributed) { FactoryGirl.create(:line_item, order: o1 ) }
+    let!(:line_item_not_distributed) { FactoryGirl.create(:line_item, order: o2 ) }
+
+    before(:each) do
+      @enterprise_user = create_enterprise_user
+      @enterprise_user.enterprise_roles.build(enterprise: s1).save
+      @enterprise_user.enterprise_roles.build(enterprise: d1).save
+
+      login_to_admin_as @enterprise_user
+    end
+
+    it "shows only line item from orders that I supply" do
+      visit '/admin/orders/bulk_management'
+
+      page.should have_selector "tr#li_#{line_item_distributed.id}", :visible => true
+      page.should_not have_selector "tr#li_#{line_item_not_distributed.id}", :visible => true
+    end
+  end
 end
diff --git a/spec/javascripts/unit/bulk_order_management_spec.js.coffee b/spec/javascripts/unit/bulk_order_management_spec.js.coffee
index 9bd31401e7..12c4d77cd7 100644
--- a/spec/javascripts/unit/bulk_order_management_spec.js.coffee
+++ b/spec/javascripts/unit/bulk_order_management_spec.js.coffee
@@ -41,7 +41,7 @@ describe "AdminOrderMgmtCtrl", ->
   describe "fetching orders", ->
     beforeEach ->
       scope.initialiseVariables()
-      httpBackend.expectGET("/api/orders?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=SomeDate&q[completed_at_lt]=SomeDate").respond "list of orders"
+      httpBackend.expectGET("/api/orders/managed?template=bulk_index&q[completed_at_not_null]=true&q[completed_at_gt]=SomeDate&q[completed_at_lt]=SomeDate").respond "list of orders"
 
     it "makes a call to dataFetcher, with current start and end date parameters", ->
       scope.fetchOrders()