Fixing customer info security for bulk coop report

2026-04-06 07:29:16 +00:00 · 2015-10-29 16:46:39 +11:00
parent 23b9dd5c71
commit b121984e76
2 changed files with 114 additions and 3 deletions
--- a/lib/open_food_network/bulk_coop_report.rb
+++ b/lib/open_food_network/bulk_coop_report.rb
@@ -28,12 +28,26 @@ module OpenFoodNetwork
    end

    def search
-      Spree::Order.complete.not_state(:canceled).managed_by(@user).search(params[:q])
+      Spree::Order.complete.not_state(:canceled).search(params[:q])
    end

    def table_items
-      orders = search.result
-      orders.map { |o| o.line_items.managed_by(@user) }.flatten
+      permissions = OpenFoodNetwork::Permissions.new(@user)
+      orders = permissions.visible_orders.merge(search.result)
+
+      line_items = permissions.visible_line_items.merge(Spree::LineItem.where(order_id: orders))
+
+      line_items_with_hidden_details =
+        permissions.editable_line_items.empty? ? line_items : line_items.where('"spree_line_items"."id" NOT IN (?)', permissions.editable_line_items)
+
+      line_items.select{ |li| line_items_with_hidden_details.include? li }.each do |line_item|
+        # TODO We should really be hiding customer code here too, but until we
+        # have an actual association between order and customer, it's a bit tricky
+        line_item.order.bill_address.assign_attributes(firstname: "HIDDEN", lastname: "", phone: "", address1: "", address2: "", city: "", zipcode: "", state: nil)
+        line_item.order.ship_address.assign_attributes(firstname: "HIDDEN", lastname: "", phone: "", address1: "", address2: "", city: "", zipcode: "", state: nil)
+        line_item.order.assign_attributes(email: "HIDDEN")
+      end
+      line_items
    end

    def rules
--- a/spec/lib/open_food_network/bulk_coop_report_spec.rb
+++ b/spec/lib/open_food_network/bulk_coop_report_spec.rb
@@ -0,0 +1,97 @@
+require 'spec_helper'
+
+include AuthenticationWorkflow
+
+module OpenFoodNetwork
+  describe BulkCoopReport do
+    describe "fetching orders" do
+      let(:d1) { create(:distributor_enterprise) }
+      let(:oc1) { create(:simple_order_cycle) }
+      let(:o1) { create(:order, completed_at: 1.day.ago, order_cycle: oc1, distributor: d1) }
+      let(:li1) { build(:line_item) }
+
+      before { o1.line_items << li1 }
+
+      context "as a site admin" do
+        let(:user) { create(:admin_user) }
+        subject { BulkCoopReport.new user }
+
+        it "fetches completed orders" do
+          o2 = create(:order)
+          o2.line_items << build(:line_item)
+          subject.table_items.should == [li1]
+        end
+
+        it "does not show cancelled orders" do
+          o2 = create(:order, state: "canceled", completed_at: 1.day.ago)
+          o2.line_items << build(:line_item)
+          subject.table_items.should == [li1]
+        end
+      end
+
+      context "as a manager of a supplier" do
+        let!(:user) { create(:user) }
+        subject { BulkCoopReport.new user }
+
+        let(:s1) { create(:supplier_enterprise) }
+
+        before do
+          s1.enterprise_roles.create!(user: user)
+        end
+
+        context "that has granted P-OC to the distributor" do
+          let(:o2) { create(:order, distributor: d1, completed_at: 1.day.ago, bill_address: create(:address), ship_address: create(:address)) }
+          let(:li2) { build(:line_item, product: create(:simple_product, supplier: s1)) }
+
+          before do
+            o2.line_items << li2
+            create(:enterprise_relationship, parent: s1, child: d1, permissions_list: [:add_to_order_cycle])
+          end
+
+          it "shows line items supplied by my producers, with names hidden" do
+            subject.table_items.should == [li2]
+            subject.table_items.first.order.bill_address.firstname.should == "HIDDEN"
+          end
+        end
+
+        context "that has not granted P-OC to the distributor" do
+          let(:o2) { create(:order, distributor: d1, completed_at: 1.day.ago, bill_address: create(:address), ship_address: create(:address)) }
+          let(:li2) { build(:line_item, product: create(:simple_product, supplier: s1)) }
+
+          before do
+            o2.line_items << li2
+          end
+
+          it "shows line items supplied by my producers, with names hidden" do
+            subject.table_items.should == []
+          end
+        end
+      end
+
+      context "as a manager of a distributor" do
+        let!(:user) { create(:user) }
+        subject { PackingReport.new user }
+
+        before do
+          d1.enterprise_roles.create!(user: user)
+        end
+
+        it "only shows line items distributed by enterprises managed by the current user" do
+          d2 = create(:distributor_enterprise)
+          d2.enterprise_roles.create!(user: create(:user))
+          o2 = create(:order, distributor: d2, completed_at: 1.day.ago)
+          o2.line_items << build(:line_item)
+          subject.table_items.should == [li1]
+        end
+
+        it "only shows the selected order cycle" do
+          oc2 = create(:simple_order_cycle)
+          o2 = create(:order, distributor: d1, order_cycle: oc2)
+          o2.line_items << build(:line_item)
+          subject.stub(:params).and_return(order_cycle_id_in: oc1.id)
+          subject.table_items.should == [li1]
+        end
+      end
+    end
+  end
+end