From 94683f1eaa153e1287665902f95ee92fbc5aca3d Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Mon, 1 Sep 2014 11:15:00 +1000
Subject: [PATCH] Check authorisation for bulk update products

---
 .../admin/products_controller_decorator.rb    |  3 +++
 .../spree/admin/products_controller_spec.rb   | 21 +++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/app/controllers/spree/admin/products_controller_decorator.rb b/app/controllers/spree/admin/products_controller_decorator.rb
index 7fc9984241..a5b38126e5 100644
--- a/app/controllers/spree/admin/products_controller_decorator.rb
+++ b/app/controllers/spree/admin/products_controller_decorator.rb
@@ -30,6 +30,9 @@ Spree::Admin::ProductsController.class_eval do
       "#{string}q[#{filter[:property][:db_column]}_#{filter[:predicate][:predicate]}]=#{filter[:value]};"
     end
 
+    # Ensure we're authorised to update all products
+    product_set.collection.each { |p| authorize! :update, p }
+
     if product_set.save
       redirect_to "/api/products/bulk_products?page=1;per_page=500;#{bulk_index_query}"
     else
diff --git a/spec/controllers/spree/admin/products_controller_spec.rb b/spec/controllers/spree/admin/products_controller_spec.rb
index f05be2bb69..9746ffa0e2 100644
--- a/spec/controllers/spree/admin/products_controller_spec.rb
+++ b/spec/controllers/spree/admin/products_controller_spec.rb
@@ -1,11 +1,28 @@
 require 'spec_helper'
 
 describe Spree::Admin::ProductsController do
-  context "Creating a new product" do
+  describe "updating a product we do not have access to" do
+    let(:s_managed) { create(:enterprise) }
+    let(:s_unmanaged) { create(:enterprise) }
+    let(:p) { create(:simple_product, supplier: s_unmanaged, name: 'Peas') }
+
     before do
-      login_as_admin
+      login_as_enterprise_user [s_managed]
+      spree_post :bulk_update, {"products" => [{"id" => p.id, "name" => "Pine nuts"}]}
     end
 
+    it "denies access" do
+      response.should redirect_to "http://test.host/unauthorized"
+    end
+
+    it "does not update any product" do
+      p.reload.name.should_not == "Pine nuts"
+    end
+  end
+
+  context "creating a new product" do
+    before { login_as_admin }
+
     it "redirects to bulk_edit when the user hits 'create'" do
       s = create(:supplier_enterprise)
       t = create(:taxon)