raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-03-01 02:03:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict ability to change managers of enterprises using update action

Browse Source
This commit is contained in:
Rob Harrington
2015-02-11 15:31:16 +11:00
parent 5c09ebf138
commit a62f48441d
2 changed files with 84 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/admin/enterprises_controller.rb
View File

@@ -9,6 +9,7 @@ module Admin
before_filter :override_owner, only: :create
before_filter :check_can_change_owner, only: :update
before_filter :check_can_change_bulk_owner, only: :bulk_update
before_filter :check_can_change_managers, only: :update
helper 'spree/products'
include OrderCyclesHelper
@@ -130,6 +131,12 @@ module Admin
end
end
def check_can_change_managers
unless ( spree_current_user == @enterprise.owner ) || spree_current_user.admin?
params[:enterprise].delete :user_ids
end
end
# Overriding method on Spree's resource controller
def location_after_save
if params[:enterprise].key? :producer_properties_attributes

123
spec/controllers/admin/enterprises_controller_spec.rb
View File

@@ -3,36 +3,39 @@ require 'spec_helper'
module Admin
describe EnterprisesController do
include AuthenticationWorkflow
let(:distributor_owner) do
user = create(:user)
user.spree_roles = []
user
end
let(:distributor) { create(:distributor_enterprise, owner: distributor_owner ) }
let(:user) do
let(:user) { create_enterprise_user }
let(:distributor_manager) do
user = create(:user)
user.spree_roles = []
distributor.enterprise_roles.build(user: user).save
user
end
let(:distributor_owner) do
user = create(:user)
user.spree_roles = []
user
end
let(:admin_user) do
user = create(:user)
user.spree_roles << Spree::Role.find_or_create_by_name!('admin')
user
end
let(:distributor) { create(:distributor_enterprise, owner: distributor_owner ) }
describe "creating an enterprise" do
let(:country) { Spree::Country.find_by_name 'Australia' }
let(:state) { Spree::State.find_by_name 'Victoria' }
let(:enterprise_params) { {enterprise: {name: 'zzz', permalink: 'zzz', email: "bob@example.com", address_attributes: {address1: 'a', city: 'a', zipcode: 'a', country_id: country.id, state_id: state.id}}} }
it "grants management permission if the current user is an enterprise user" do
controller.stub spree_current_user: user
enterprise_params[:enterprise][:owner_id] = user
controller.stub spree_current_user: distributor_manager
enterprise_params[:enterprise][:owner_id] = distributor_manager
spree_put :create, enterprise_params
enterprise = Enterprise.find_by_name 'zzz'
user.enterprise_roles.where(enterprise_id: enterprise).first.should be
distributor_manager.enterprise_roles.where(enterprise_id: enterprise).first.should be
end
it "does not grant management permission to admins" do
@@ -45,41 +48,12 @@ module Admin
end
it "it overrides the owner_id submitted by the user unless current_user is super admin" do
controller.stub spree_current_user: user
enterprise_params[:enterprise][:owner_id] = admin_user
controller.stub spree_current_user: distributor_manager
enterprise_params[:enterprise][:owner_id] = user
spree_put :create, enterprise_params
enterprise = Enterprise.find_by_name 'zzz'
user.enterprise_roles.where(enterprise_id: enterprise).first.should be
end
end
describe "updating an enterprise" do
it "allows current owner to change ownership" do
controller.stub spree_current_user: distributor_owner
update_params = { id: distributor, enterprise: { owner_id: user } }
spree_post :update, update_params
distributor.reload
expect(distributor.owner).to eq user
end
it "allows super admin to change ownership" do
controller.stub spree_current_user: admin_user
update_params = { id: distributor, enterprise: { owner_id: user } }
spree_post :update, update_params
distributor.reload
expect(distributor.owner).to eq user
end
it "does not allow managers to change ownership" do
controller.stub spree_current_user: user
update_params = { id: distributor, enterprise: { owner_id: user } }
spree_post :update, update_params
distributor.reload
expect(distributor.owner).to eq distributor_owner
distributor_manager.enterprise_roles.where(enterprise_id: enterprise).first.should be
end
end
@@ -88,14 +62,52 @@ module Admin
context "as manager" do
it "does not allow 'sells' to be changed" do
profile_enterprise.enterprise_roles.build(user: user).save
controller.stub spree_current_user: user
profile_enterprise.enterprise_roles.build(user: distributor_manager).save
controller.stub spree_current_user: distributor_manager
enterprise_params = { id: profile_enterprise, enterprise: { sells: 'any' } }
spree_put :update, enterprise_params
profile_enterprise.reload
expect(profile_enterprise.sells).to eq 'none'
end
it "does not allow owner to be changed" do
controller.stub spree_current_user: distributor_manager
update_params = { id: distributor, enterprise: { owner_id: distributor_manager } }
spree_post :update, update_params
distributor.reload
expect(distributor.owner).to eq distributor_owner
end
it "does not allow managers to be changed" do
controller.stub spree_current_user: distributor_manager
update_params = { id: distributor, enterprise: { user_ids: [distributor_owner.id,distributor_manager.id,user.id] } }
spree_post :update, update_params
distributor.reload
expect(distributor.users).to_not include user
end
end
context "as owner" do
it "allows owner to be changed" do
controller.stub spree_current_user: distributor_owner
update_params = { id: distributor, enterprise: { owner_id: distributor_manager } }
spree_post :update, update_params
distributor.reload
expect(distributor.owner).to eq distributor_manager
end
it "allows managers to be changed" do
controller.stub spree_current_user: distributor_owner
update_params = { id: distributor, enterprise: { user_ids: [distributor_owner.id,distributor_manager.id,user.id] } }
spree_post :update, update_params
distributor.reload
expect(distributor.users).to include user
end
end
context "as super admin" do
@@ -107,6 +119,25 @@ module Admin
profile_enterprise.reload
expect(profile_enterprise.sells).to eq 'any'
end
it "allows owner to be changed" do
controller.stub spree_current_user: admin_user
update_params = { id: distributor, enterprise: { owner_id: distributor_manager } }
spree_post :update, update_params
distributor.reload
expect(distributor.owner).to eq distributor_manager
end
it "allows managers to be changed" do
controller.stub spree_current_user: admin_user
update_params = { id: distributor, enterprise: { user_ids: [distributor_owner.id,distributor_manager.id,user.id] } }
spree_post :update, update_params
distributor.reload
expect(distributor.users).to include user
end
end
end
@@ -114,7 +145,7 @@ module Admin
let(:enterprise) { create(:enterprise, sells: 'none') }
before do
controller.stub spree_current_user: user
controller.stub spree_current_user: distributor_manager
end
context "as a normal user" do
@@ -126,7 +157,7 @@ module Admin
context "as a manager" do
before do
enterprise.enterprise_roles.build(user: user).save
enterprise.enterprise_roles.build(user: distributor_manager).save
end
context "allows setting 'sells' to 'none'" do