Check authorisation for bulk update products

2026-01-24 20:36:49 +00:00 · 2014-09-01 11:15:00 +10:00
parent c81503d95f
commit 94683f1eaa
2 changed files with 22 additions and 2 deletions
--- a/app/controllers/spree/admin/products_controller_decorator.rb
+++ b/app/controllers/spree/admin/products_controller_decorator.rb
@@ -30,6 +30,9 @@ Spree::Admin::ProductsController.class_eval do
      "#{string}q[#{filter[:property][:db_column]}_#{filter[:predicate][:predicate]}]=#{filter[:value]};"
    end

+    # Ensure we're authorised to update all products
+    product_set.collection.each { |p| authorize! :update, p }
+
    if product_set.save
      redirect_to "/api/products/bulk_products?page=1;per_page=500;#{bulk_index_query}"
    else
--- a/spec/controllers/spree/admin/products_controller_spec.rb
+++ b/spec/controllers/spree/admin/products_controller_spec.rb
@@ -1,11 +1,28 @@
 require 'spec_helper'

 describe Spree::Admin::ProductsController do
-  context "Creating a new product" do
+  describe "updating a product we do not have access to" do
+    let(:s_managed) { create(:enterprise) }
+    let(:s_unmanaged) { create(:enterprise) }
+    let(:p) { create(:simple_product, supplier: s_unmanaged, name: 'Peas') }
+
    before do
-      login_as_admin
+      login_as_enterprise_user [s_managed]
+      spree_post :bulk_update, {"products" => [{"id" => p.id, "name" => "Pine nuts"}]}
    end

+    it "denies access" do
+      response.should redirect_to "http://test.host/unauthorized"
+    end
+
+    it "does not update any product" do
+      p.reload.name.should_not == "Pine nuts"
+    end
+  end
+
+  context "creating a new product" do
+    before { login_as_admin }
+
    it "redirects to bulk_edit when the user hits 'create'" do
      s = create(:supplier_enterprise)
      t = create(:taxon)