From 99bd6244ed09fc4a6fe6f9464288e7b7bfdf9272 Mon Sep 17 00:00:00 2001
From: Rob Harrington <oeoeaio@gmail.com>
Date: Wed, 25 Mar 2015 15:38:08 +1100
Subject: [PATCH] Filtering the list of variants visible within each exchange
 based on permissions

---
 .../filters/visible_products.js.coffee             |  3 +++
 .../filters/visible_variants.js.coffee             |  4 ++++
 .../api/admin/order_cycle_serializer.rb            | 14 ++++++++++++++
 .../_exchange_distributed_products_form.html.haml  |  5 ++++-
 .../_exchange_supplied_products_form.html.haml     |  2 ++
 5 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 app/assets/javascripts/admin/order_cycles/filters/visible_products.js.coffee
 create mode 100644 app/assets/javascripts/admin/order_cycles/filters/visible_variants.js.coffee

diff --git a/app/assets/javascripts/admin/order_cycles/filters/visible_products.js.coffee b/app/assets/javascripts/admin/order_cycles/filters/visible_products.js.coffee
new file mode 100644
index 0000000000..2684fe1287
--- /dev/null
+++ b/app/assets/javascripts/admin/order_cycles/filters/visible_products.js.coffee
@@ -0,0 +1,3 @@
+angular.module("admin.order_cycles").filter "visibleProducts", ($filter) ->
+  return (products, exchange, rules) ->
+    return (product for product in products when $filter('visibleVariants')(product, exchange, rules).length > 0)
diff --git a/app/assets/javascripts/admin/order_cycles/filters/visible_variants.js.coffee b/app/assets/javascripts/admin/order_cycles/filters/visible_variants.js.coffee
new file mode 100644
index 0000000000..feb1635cce
--- /dev/null
+++ b/app/assets/javascripts/admin/order_cycles/filters/visible_variants.js.coffee
@@ -0,0 +1,4 @@
+angular.module("admin.order_cycles").filter "visibleVariants", ->
+  return (product, exchange, rules) ->
+    enterprise_id = if exchange.incoming then exchange.sender_id else exchange.receiver_id
+    return (variant for variant in product.variants when variant.id in rules[exchange.enterprise_id])
diff --git a/app/serializers/api/admin/order_cycle_serializer.rb b/app/serializers/api/admin/order_cycle_serializer.rb
index a4c129774e..333cdfacdc 100644
--- a/app/serializers/api/admin/order_cycle_serializer.rb
+++ b/app/serializers/api/admin/order_cycle_serializer.rb
@@ -1,5 +1,6 @@
 class Api::Admin::OrderCycleSerializer < ActiveModel::Serializer
   attributes :id, :name, :orders_open_at, :orders_close_at, :coordinator_id, :exchanges
+  attributes :visible_variants_for_outgoing_exchanges
 
   has_many :coordinator_fees, serializer: Api::IdSerializer
 
@@ -15,4 +16,17 @@ class Api::Admin::OrderCycleSerializer < ActiveModel::Serializer
     scoped_exchanges = OpenFoodNetwork::Permissions.new(options[:current_user]).order_cycle_exchanges(object).order('id ASC')
     ActiveModel::ArraySerializer.new(scoped_exchanges, {each_serializer: Api::Admin::ExchangeSerializer, current_user: options[:current_user] })
   end
+
+  def visible_variants_for_outgoing_exchanges
+    # For each enterprise that the current user is able to see in this order cycle,
+    # work out which variants should be visible within outgoing exchanges from that enterprise
+    visible = {}
+    enterprises = OpenFoodNetwork::Permissions.new(options[:current_user]).order_cycle_enterprises_for(order_cycle: object)
+    enterprises.each do |enterprise|
+      variants = OpenFoodNetwork::Permissions.new(options[:current_user]).
+        visible_variants_for_outgoing_exchanges_between(object.coordinator, enterprise, order_cycle: object).pluck(:id)
+      visible[enterprise.id] = variants if variants.any?
+    end
+    visible
+  end
 end
diff --git a/app/views/admin/order_cycles/_exchange_distributed_products_form.html.haml b/app/views/admin/order_cycles/_exchange_distributed_products_form.html.haml
index 6566ee770a..efdf3bdf35 100644
--- a/app/views/admin/order_cycles/_exchange_distributed_products_form.html.haml
+++ b/app/views/admin/order_cycles/_exchange_distributed_products_form.html.haml
@@ -4,13 +4,16 @@
       = check_box_tag 'order_cycle_outgoing_exchange_{{ $parent.$index }}_select_all_variants', 1, 1, 'ng-model' => 'exchange.select_all_variants', 'ng-change' => 'setExchangeVariants(exchange, incomingExchangesVariants(), exchange.select_all_variants)', 'id' => 'order_cycle_outgoing_exchange_{{ $parent.$index }}_select_all_variants'
       Select all
 
-  .exchange-product{'ng-repeat' => 'product in supplied_products | filter:productSuppliedToOrderCycle'}
+  -# Scope product list based on permissions the current user has to view variants in this exchange
+  .exchange-product{'ng-repeat' => 'product in supplied_products | filter:productSuppliedToOrderCycle | visibleProducts:exchange:order_cycle.visible_variants_for_outgoing_exchanges' }
     .exchange-product-details
       .supplier {{ product.supplier_name }}
       %label
         = check_box_tag 'order_cycle_outgoing_exchange_{{ $parent.$index }}_variants_{{ product.master_id }}', 1, 1, 'ng-hide' => 'product.variants.length > 0', 'ng-disabled' => 'product.variants.length > 0', 'ng-model' => 'exchange.variants[product.master_id]', 'id' => 'order_cycle_outgoing_exchange_{{ $parent.$index }}_variants_{{ product.master_id }}'
         %img{'ng-src' => '{{ product.image_url }}'}
         {{ product.name }}
+
+    -# if we ever need to filter variants within a product using visibility permissions, we can use this filter: visibleVariants:exchange:order_cycle.visible_variants_for_outgoing_exchanges
     .exchange-product-variant{'ng-repeat' => 'variant in product.variants | filter:variantSuppliedToOrderCycle'}
       %label
         = check_box_tag 'order_cycle_outgoing_exchange_{{ $parent.$parent.$index }}_variants_{{ variant.id }}', 1, 1, 'ng-model' => 'exchange.variants[variant.id]', 'id' => 'order_cycle_outgoing_exchange_{{ $parent.$parent.$index }}_variants_{{ variant.id }}'
diff --git a/app/views/admin/order_cycles/_exchange_supplied_products_form.html.haml b/app/views/admin/order_cycles/_exchange_supplied_products_form.html.haml
index 4e4ae4c3f3..a23c0bc4ba 100644
--- a/app/views/admin/order_cycles/_exchange_supplied_products_form.html.haml
+++ b/app/views/admin/order_cycles/_exchange_supplied_products_form.html.haml
@@ -5,6 +5,8 @@
       = check_box_tag 'order_cycle_incoming_exchange_{{ $parent.$index }}_select_all_variants', 1, 1, 'ng-model' => 'exchange.select_all_variants', 'ng-change' => 'setExchangeVariants(exchange, suppliedVariants(exchange.enterprise_id), exchange.select_all_variants)', 'id' => 'order_cycle_incoming_exchange_{{ $parent.$index }}_select_all_variants'
       Select all
 
+  -# No need to scope product list based on permissions, because if an incoming exchange is visible,
+  -# then all of the variants within it should be visible. May change in the future?
   .exchange-product{'ng-repeat' => 'product in enterprises[exchange.enterprise_id].supplied_products'}
 
     .exchange-product-details