Enterprise manager can bulk edit products

app/assets/javascripts/admin/bulk_product_update.js

@@ -154,10 +154,10 @@ productsApp.controller('AdminBulkProductsCtrl', ["$scope", "$timeout", "$http",
 			$scope.spree_api_key_ok = data.hasOwnProperty("success") && data["success"] == "Use of API Authorised";
 			if ($scope.spree_api_key_ok){
 				$http.defaults.headers.common['X-Spree-Token'] = spree_api_key;
-				dataFetcher('/api/enterprises?template=bulk_index;q[is_primary_producer_eq]=true').then(function(data){
+				dataFetcher('/api/enterprises/managed?template=bulk_index&q[is_primary_producer_eq]=true').then(function(data){
 					$scope.suppliers = data;
 					// Need to have suppliers before we get products so we can match suppliers to product.supplier
-					dataFetcher('/api/products?template=bulk_index').then(function(data){
+					dataFetcher('/api/products/managed?template=bulk_index').then(function(data){
 						$scope.resetProducts(data);
 					});
 				});

app/controllers/spree/admin/products_controller_decorator.rb

@@ -12,7 +12,7 @@ Spree::Admin::ProductsController.class_eval do
     product_set = Spree::ProductSet.new({:collection_attributes => collection_hash})
 
     if product_set.save
-      redirect_to "/api/products?template=bulk_index"
+      redirect_to "/api/products/managed?template=bulk_index"
     else
       render :nothing => true
     end
@@ -37,7 +37,7 @@ Spree::Admin::ProductsController.class_eval do
 
     params[:q][:s] ||= "name asc"
 
-    @search = super.ransack(params[:q])
+    @search = Spree::Product.ransack(params[:q]) # this line is modified - hit Spree::Product instead of super, avoiding cancan error for fetching records with block permissions via accessible_by
     @collection = @search.result.
       managed_by(spree_current_user). # this line is added to the original spree code!!!!!
       group_by_products_id.
@@ -52,10 +52,15 @@ Spree::Admin::ProductsController.class_eval do
     @collection
   end
 
+  def collection_actions
+    [:index, :bulk_edit, :bulk_update]
+  end
+
+
   private
 
   def load_spree_api_key
     current_user.generate_spree_api_key! unless spree_current_user.spree_api_key
     @spree_api_key = spree_current_user.spree_api_key
   end
-end
+end

app/controllers/spree/api/enterprises_controller.rb

@@ -3,15 +3,10 @@ module Spree
     class EnterprisesController < Spree::Api::BaseController
       respond_to :json
 
-      def bulk_show
-        @enterprise = Enterprise.find(params[:id])
-        respond_with(@enterprise)
-      end
-
-      def bulk_index
-        @enterprises = Enterprise.ransack(params[:q]).result
+      def managed
+        @enterprises = Enterprise.ransack(params[:q]).result.managed_by(current_api_user)
         respond_with(@enterprises)
       end
     end
   end
-end
+end

app/controllers/spree/api/products_controller_decorator.rb

@@ -0,0 +1,7 @@
+Spree::Api::ProductsController.class_eval do
+  def managed
+    @products = product_scope.ransack(params[:q]).result.managed_by(current_api_user).page(params[:page]).per(params[:per_page])
+    respond_with(@products, default_template: :index)
+  end
+
+end

app/models/spree/ability_decorator.rb

@@ -6,7 +6,7 @@ class AbilityDecorator
 
       #Enterprise User can only access products that they are a supplier for
       can [:create], Spree::Product
-      can [:admin, :read, :update, :bulk_edit, :clone, :destroy], Spree::Product  do |product|
+      can [:admin, :read, :update, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product  do |product|
         user.enterprises.include? product.supplier
       end
 

config/routes.rb

@@ -9,7 +9,7 @@ Openfoodweb::Application.routes.draw do
     end
 
     member do
-      get :shop_front #new world
+      get :shop_front # new world
       get :shop # old world
     end
   end
@@ -52,9 +52,20 @@ Spree::Core::Engine.routes.prepend do
   match '/admin/reports/order_cycles' => 'admin/reports#order_cycles', :as => "order_cycles_admin_reports",  :via  => [:get, :post]
   match '/admin/products/bulk_edit' => 'admin/products#bulk_edit', :as => "bulk_edit_admin_products"
 
-  match '/api/users/authorise_api' => 'api/users#authorise_api', :via => :get, :defaults => { :format => 'json' }
-  match '/api/enterprises' => 'api/enterprises#bulk_index', :via => :get, :defaults => { :format => 'json' }
-  match '/api/enterprises/:id' => 'api/enterprises#bulk_show', :via => :get, :defaults => { :format => 'json' }
+
+  namespace :api, :defaults => { :format => 'json' } do
+    resources :users do
+      get :authorise_api, on: :collection
+    end
+
+    resources :products do
+      get :managed, on: :collection
+    end
+
+    resources :enterprises do
+      get :managed, on: :collection
+    end
+  end
 
   namespace :admin do
     resources :products do

spec/features/admin/bulk_product_update_spec.rb

@@ -31,7 +31,7 @@ feature %q{
       page.should have_field "product_name", with: p2.name
     end
 
-    it "displays a select box for suppliers,  with the appropriate supplier selected" do
+    it "displays a select box for suppliers, with the appropriate supplier selected" do
       s1 = FactoryGirl.create(:supplier_enterprise)
       s2 = FactoryGirl.create(:supplier_enterprise)
       s3 = FactoryGirl.create(:supplier_enterprise)
@@ -421,4 +421,66 @@ feature %q{
       end
     end
   end
-end 
+
+  context "as an enterprise manager" do
+    let(:s1) { create(:supplier_enterprise, name: 'First Supplier') }
+    let(:s2) { create(:supplier_enterprise, name: 'Another Supplier') }
+    let(:s3) { create(:supplier_enterprise, name: 'Yet Another Supplier') }
+    let(:d1) { create(:distributor_enterprise, name: 'First Distributor') }
+    let(:d2) { create(:distributor_enterprise, name: 'Another Distributor') }
+    let!(:product_supplied) { create(:product, supplier: s1, price: 10.0, on_hand: 6) }
+    let!(:product_not_supplied) { create(:product, supplier: s3) }
+
+    before(:each) do
+      @enterprise_user = create_enterprise_user
+      @enterprise_user.enterprise_roles.build(enterprise: s1).save
+      @enterprise_user.enterprise_roles.build(enterprise: s2).save
+      @enterprise_user.enterprise_roles.build(enterprise: d1).save
+
+      login_to_admin_as @enterprise_user
+    end
+
+    it "shows only products that I supply" do
+      visit '/admin/products/bulk_edit'
+
+      page.should have_field 'product_name', with: product_supplied.name
+      page.should_not have_field 'product_name', with: product_not_supplied.name
+    end
+
+    it "shows only suppliers that I manage" do
+      visit '/admin/products/bulk_edit'
+
+      page.should have_select 'supplier', with_options: [s1.name, s2.name], selected: s1.name
+      page.should_not have_select 'supplier', with_options: [s3.name]
+    end
+
+    it "allows me to update a product" do
+      p = product_supplied
+
+      visit '/admin/products/bulk_edit'
+
+      page.should have_field "product_name", with: p.name
+      page.should have_select "supplier", selected: s1.name
+      page.should have_field "available_on", with: p.available_on.strftime("%F %T")
+      page.should have_field "price", with: "10.0"
+      page.should have_field "on_hand", with: "6"
+
+      fill_in "product_name", with: "Big Bag Of Potatoes"
+      select s2.name, from: 'supplier'
+      fill_in "available_on", with: (Date.today-3).strftime("%F %T")
+      fill_in "price", with: "20"
+      fill_in "on_hand", with: "18"
+
+      click_button 'Update'
+      page.find("span#update-status-message").should have_content "Update complete"
+
+      visit '/admin/products/bulk_edit'
+
+      page.should have_field "product_name", with: "Big Bag Of Potatoes"
+      page.should have_select "supplier", selected: s2.name
+      page.should have_field "available_on", with: (Date.today-3).strftime("%F %T")
+      page.should have_field "price", with: "20.0"
+      page.should have_field "on_hand", with: "18"
+    end
+  end
+end

spec/javascripts/unit/bulk_product_update_spec.js

@@ -202,8 +202,8 @@ describe("AdminBulkProductsCtrl", function(){
 
 		it("gets a list of suppliers and then resets products with a list of data", function(){
 			httpBackend.expectGET('/api/users/authorise_api?token=api_key').respond( { "success": "Use of API Authorised" } );
-			httpBackend.expectGET('/api/enterprises?template=bulk_index;q[is_primary_producer_eq]=true').respond("list of suppliers");
-			httpBackend.expectGET('/api/products?template=bulk_index').respond("list of products");
+			httpBackend.expectGET('/api/enterprises/managed?template=bulk_index&q[is_primary_producer_eq]=true').respond("list of suppliers");
+			httpBackend.expectGET('/api/products/managed?template=bulk_index').respond("list of products");
 			spyOn(scope, "resetProducts");
 			scope.initialise('api_key');
 			httpBackend.flush();

spec/models/ability_spec.rb

@@ -32,11 +32,11 @@ module Spree
         let (:order) {create(:order, )}
 
         it "should be able to read/write their enterprises' products" do
-          should have_ability([:admin, :read, :update, :bulk_edit, :clone, :destroy], for: p1)
+          should have_ability([:admin, :read, :update, :bulk_edit, :bulk_update, :clone, :destroy], for: p1)
         end
 
         it "should not be able to read/write other enterprises' products" do
-          should_not have_ability([:admin, :read, :update, :bulk_edit, :clone, :destroy], for: p2)
+          should_not have_ability([:admin, :read, :update, :bulk_edit, :bulk_update, :clone, :destroy], for: p2)
         end
 
         it "should be able to create a new product" do