Fixing authorization for VariantOverridesController#bulk_reset

2026-02-08 22:56:06 +00:00 · 2015-10-29 11:46:56 +11:00
parent d01da727f0
commit 94785d4157
4 changed files with 53 additions and 38 deletions
--- a/app/controllers/admin/variant_overrides_controller.rb
+++ b/app/controllers/admin/variant_overrides_controller.rb
@@ -34,7 +34,7 @@ module Admin
      vo_set = VariantOverrideSet.new @variant_overrides, collection_attributes: collection_hash

      # Ensure we're authorised to update all variant overrides.
-      vo_set.collection.each { |vo| authorize! :update, vo }
+      vo_set.collection.each { |vo| authorize! :bulk_reset, vo }

      # Changed this to use class method instead, to ensure the value in the database is used to reset and not a dirty passed-in value
      #vo_set.collection.map! { |vo| vo = vo.reset_stock! }
@@ -65,7 +65,7 @@ module Admin
    end

    def collection_actions
-      [:index, :bulk_update]
+      [:index, :bulk_update, :bulk_reset]
    end
  end
 end
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -111,7 +111,7 @@ class AbilityDecorator
      OpenFoodNetwork::Permissions.new(user).managed_product_enterprises.include? variant.product.supplier
    end

-    can [:admin, :index, :read, :update, :bulk_update], VariantOverride do |vo|
+    can [:admin, :index, :read, :update, :bulk_update, :bulk_reset], VariantOverride do |vo|
      next false unless vo.hub.present? && vo.variant.andand.product.andand.supplier.present?

      hub_auth = OpenFoodNetwork::Permissions.new(user).
--- a/spec/controllers/admin/variant_overrides_spec.rb
+++ b/spec/controllers/admin/variant_overrides_spec.rb
@@ -3,57 +3,72 @@ require 'spec_helper'
 module Admin
  describe VariantOverridesController, type: :controller do
    include AuthenticationWorkflow
-    let!(:hub_owner) { create :admin_user, enterprise_limit: 2 }
+    let!(:hub_owner) { create :user, enterprise_limit: 2 }
+    let!(:v1) { create(:variant) }
+    let!(:v2) { create(:variant) }
+    let!(:vo1) { create(:variant_override, hub: hub, variant: v1, price: "6.0", count_on_hand: 5, default_stock: 7, enable_reset: true) }
+    let!(:vo2) { create(:variant_override, hub: hub, variant: v2, price: "6.0", count_on_hand: 2, default_stock: 1, enable_reset: false) }

    before do
      controller.stub spree_current_user: hub_owner
    end

    describe "bulk_update" do
-      context "as an enterprise user I update the variant overrides" do
-        let!(:hub) { create(:distributor_enterprise, owner: hub_owner) }
+      let!(:hub) { create(:distributor_enterprise, owner: hub_owner) }
+      let(:params) { { variant_overrides: [{id: vo1.id, price: "10.0"}, {id: vo2.id, default_stock: 12 }] } }
+
+      context "where the producer has not granted create_variant_overrides permission to the hub" do
+        it "restricts access" do
+          spree_put :bulk_update, params
+          expect(response).to redirect_to spree.unauthorized_path
+        end
+      end
+
+      context "where the producer has granted create_variant_overrides permission to the hub" do
+        let!(:er1) { create(:enterprise_relationship, parent: v1.product.supplier, child: hub, permissions_list: [:create_variant_overrides]) }
+
        it "updates the overrides correctly" do
-          v1 = create(:variant)
-          v2 = create(:variant)
-          vo1 = create(:variant_override, hub: hub, variant: v1, price: "6.0", count_on_hand: 5, default_stock: 7)
-          vo2 = create(:variant_override, hub: hub, variant: v2, price: "6.0", count_on_hand: 5, default_stock: 7)
-          vo1.price = "10.0"
-          vo2.default_stock = 12
-          # Have to use .attributes as otherwise passes just the ID
-          spree_put :bulk_update, {variant_overrides: [vo1.attributes, vo2.attributes]}
-	        # Retrieve from database
-          VariantOverride.find(vo1.id).price.should eq 10
-	        VariantOverride.find(vo2.id).default_stock.should eq 12
+          spree_put :bulk_update, params
+          vo1.reload.price.should eq 10
+	        vo2.reload.default_stock.should eq 12
        end
      end
    end
+
    describe "bulk_reset" do
      let!(:hub) { create(:distributor_enterprise, owner: hub_owner) }
+
      before do
        controller.stub spree_current_user: hub.owner
      end
-      context "when a reset request is received" do
-        it "updates stock to default values" do
-        v1 = create(:variant)
-        v2 = create(:variant)
-        vo1 = create(:variant_override, hub: hub, variant: v1, price: "6.0", count_on_hand: 5, default_stock: 7, enable_reset: true)
-        vo2 = create(:variant_override, hub: hub, variant: v2, price: "6.0", count_on_hand: 2, default_stock: 1, enable_reset: false)
-        params = {"variant_overrides" => [vo1.attributes, vo2.attributes]}
-        spree_put :bulk_reset, params

-        vo1.reload
-        expect(vo1.count_on_hand).to eq 7
-        end
-        it "doesn't update where reset is disabled" do
-          v1 = create(:variant)
-          v2 = create(:variant)
-          vo1 = create(:variant_override, hub: hub, variant: v1, price: "6.0", count_on_hand: 5, default_stock: 7, enable_reset: true)
-          vo2 = create(:variant_override, hub: hub, variant: v2, price: "6.0", count_on_hand: 2, default_stock: 1, enable_reset: false)
-          params = {"variant_overrides" => [vo1.attributes, vo2.attributes]}
+      context "where the producer has not granted create_variant_overrides permission to the hub" do
+        let(:params) { { variant_overrides: [ { id: vo1 } ] } }
+
+        it "restricts access" do
          spree_put :bulk_reset, params
-          
-          vo2.reload
-          expect(vo2.count_on_hand).to eq 2
+          expect(response).to redirect_to spree.unauthorized_path
+        end
+      end
+
+      context "where the producer has granted create_variant_overrides permission to the hub" do
+        let!(:er1) { create(:enterprise_relationship, parent: v1.product.supplier, child: hub, permissions_list: [:create_variant_overrides]) }
+
+        context "where reset is enabled" do
+          let(:params) { { variant_overrides: [ { id: vo1 } ] } }
+
+          it "updates stock to default values" do
+            spree_put :bulk_reset, params
+            expect(vo1.reload.count_on_hand).to eq 7
+          end
+        end
+
+        context "where reset is disabled" do
+          let(:params) { { variant_overrides: [ { id: vo2 } ] } }
+          it "doesn't update on_hand" do
+            spree_put :bulk_reset, params
+            expect(vo2.reload.count_on_hand).to eq 2
+          end
        end
      end
    end
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -323,7 +323,7 @@ module Spree
          let!(:er1) { create(:enterprise_relationship, parent: s1, child: d1, permissions_list: [:create_variant_overrides]) }

          it "should be able to access variant overrides page" do
-            should have_ability([:admin, :index, :bulk_update], for: VariantOverride)
+            should have_ability([:admin, :index, :bulk_update, :bulk_reset], for: VariantOverride)
          end

          it "should be able to read/write their own variant overrides" do