Set up permissions for creating source variants

2026-03-21 05:09:15 +00:00 · 2026-02-09 15:35:28 +11:00
parent 766bedb773
commit 940aa57daf
3 changed files with 54 additions and 2 deletions
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -202,7 +202,7 @@ module Spree
    def add_product_management_abilities(user)
      # Enterprise User can only access products that they are a supplier for
      can [:create], Spree::Product
-      # An enterperprise user can change a product if they are supplier of at least
+      # An enterprise user can change a product if they are supplier of at least
      # one of the product's associated variants
      can [:admin, :read, :index, :update,
           :seo, :group_buy_options,
@@ -214,7 +214,16 @@ module Spree
        )
      end

-      can [:admin, :index, :bulk_update, :destroy, :destroy_variant, :clone], :products_v3
+      # An enterprise user can clone if they have been granted permission to the source variant.
+      # Technically I'd call this permission clone_source_variant, but it would be less confusing to
+      # use the same name as everywhere else.
+      can [:create_sourced_variant], Spree::Variant do |variant|
+        OpenFoodNetwork::Permissions.new(user).
+          enterprises_granting_sourced_variants.include? variant.supplier
+      end
+
+      can [:admin, :index, :bulk_update, :destroy, :destroy_variant, :clone,
+           :create_sourced_variant], :products_v3

      can [:create], Spree::Variant
      can [:admin, :index, :read, :edit,
--- a/lib/open_food_network/permissions.rb
+++ b/lib/open_food_network/permissions.rb
@@ -86,6 +86,10 @@ module OpenFoodNetwork
      managed_and_related_enterprises_granting :manage_products
    end

+    def enterprises_granting_sourced_variants
+      related_enterprises_granting :create_sourced_variants
+    end
+
    def manages_one_enterprise?
      @user.enterprises.length == 1
    end
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -364,6 +364,19 @@ RSpec.describe Spree::Ability do
                                        for: p2.variants.first)
      end

+      describe "create_sourced_variant" do
+        it "should not be able to create sourced variant without permission" do
+          is_expected.not_to have_ability([:create_sourced_variant], for: p_related.variants.first)
+        end
+
+        it "should be able to create sourced variant when granted permission" do
+          create(:enterprise_relationship, parent: s_related, child: s1,
+                                           permissions_list: [:create_sourced_variants])
+
+          is_expected.to have_ability([:create_sourced_variant], for: p_related.variants.first)
+        end
+      end
+
      it "should not be able to access admin actions on orders" do
        is_expected.not_to have_ability([:admin], for: Spree::Order)
      end
@@ -720,6 +733,19 @@ RSpec.describe Spree::Ability do
      it "can request permitted enterprise fees for an order cycle" do
        is_expected.to have_ability([:for_order_cycle], for: EnterpriseFee)
      end
+
+      describe "create_sourced_variant" do
+        it "should not be able to create sourced variant without permission" do
+          is_expected.not_to have_ability([:create_sourced_variant], for: p_related.variants.first)
+        end
+
+        it "should be able to create sourced variant when granted permission" do
+          create(:enterprise_relationship, parent: s_related, child: d1,
+                                           permissions_list: [:create_sourced_variants])
+
+          is_expected.to have_ability([:create_sourced_variant], for: p_related.variants.first)
+        end
+      end
    end

    context 'Order Cycle co-ordinator, distributor enterprise manager' do
@@ -795,6 +821,19 @@ RSpec.describe Spree::Ability do
      it "has the ability to manage vouchers" do
        is_expected.to have_ability([:admin, :create], for: Voucher)
      end
+
+      describe "create_sourced_variant for own enterprise" do
+        it "should not be able to create own sourced variant without permission" do
+          is_expected.not_to have_ability([:create_sourced_variant], for: p1.variants.first)
+        end
+
+        it "should be able to create own sourced variant when granted self permission" do
+          create(:enterprise_relationship, parent: s1, child: s1,
+                                           permissions_list: [:create_sourced_variants])
+
+          is_expected.to have_ability([:create_sourced_variant], for: p1.variants.first)
+        end
+      end
    end

    context 'enterprise owner' do