WIP: Allow distributor enterprise user to access their orders

app/controllers/spree/admin/orders_controller_decorator.rb

@@ -0,0 +1,10 @@
+Spree::Admin::OrdersController.class_eval do
+  respond_override :index => { :html =>
+    { :success => lambda { 
+      # Filter orders to only show those managed by current user
+      @orders = @search.result.includes([:user, :shipments, :payments]).
+        managed_by(spree_current_user).
+        page(params[:page]).
+        per(params[:per_page] || Spree::Config[:orders_per_page])
+    } } }
+end

app/models/spree/ability_decorator.rb

@@ -3,11 +3,13 @@ class AbilityDecorator
   include CanCan::Ability
   def initialize(user)
     if user.enterprises.count > 0
+
+      #User can only access products that they are a supplier for
+      can [:create], Spree::Product
       can [:admin, :read, :update, :bulk_edit, :clone, :destroy], Spree::Product  do |product|
         user.enterprises.include? product.supplier
       end
 
-      can [:create], Spree::Product
       can [:admin, :index, :read, :create, :edit], Spree::Variant
       can [:admin, :index, :read, :create, :edit], Spree::ProductProperty
       can [:admin, :index, :read, :create, :edit], Spree::Image
@@ -15,7 +17,16 @@ class AbilityDecorator
       can [:admin, :index, :read, :search], Spree::Taxon
       can [:admin, :index, :read, :create, :edit], Spree::Classification
 
-      can [:admin, :index, :read], Spree::Order
+      #User can only access orders that they are a distributor for
+      can [:index, :create], Spree::Order
+      can [:admin, :read, :update, :fire, :resend ], Spree::Order do |order| # :customer, :return_authorizations
+        user.enterprises.include? order.distributor
+      end
+
+      can [:admin, :index, :read, :create, :edit], Spree::Payment # , :fire, :capture,
+      can [:admin, :index, :read, :create, :edit], Spree::Shipment #edit order shipment doesn't work
+      can [:admin, :index, :read, :create, :edit], Spree::Adjustment
+
     end
   end
 end

app/models/spree/order_decorator.rb

@@ -12,7 +12,16 @@ Spree::Order.class_eval do
   before_save :update_line_item_shipping_methods
   after_create :set_default_shipping_method
 
+  # -- Scopes
+  scope :managed_by, lambda { |user|
+    if user.has_spree_role?('admin')
+      scoped
+    else
+      where('distributor_id IN (?)', user.enterprises.map {|enterprise| enterprise.id })
+    end
+  }
 
+  # -- Methods
   def products_available_from_new_distribution
     # Check that the line_items in the current order are available from a newly selected distribution
     if OpenFoodWeb::FeatureToggle.enabled? :order_cycles

spec/controllers/spree/api/products_controller_spec.rb

@@ -41,11 +41,16 @@ module Spree
       end
 
       it "should allow available_on to be nil" do
+
+        spree_get :index, { :template => 'bulk_index', :format => :json }
+        json_response.size.should == 3
+
         product4 = FactoryGirl.create(:product)
         product4.available_on = nil
         product4.save!
 
         spree_get :index, { :template => 'bulk_index', :format => :json }
+        binding.pry
         json_response.size.should == 4
       end
     end

spec/models/ability_spec.rb

@@ -9,25 +9,35 @@ module Spree
     describe 'Roles' do
 
       # create enterprises
-      let(:e1) { create(:enterprise) }
-      let(:e2) { create(:enterprise) }
+      let(:s1) { create(:supplier_enterprise) }
+      let(:s2) { create(:supplier_enterprise) }
       let(:d1) { create(:distributor_enterprise) }
+      let(:d2) { create(:distributor_enterprise) }
       # create product for each enterprise
-      let(:p1) { create(:product, supplier: e1) }
-      let(:p2) { create(:product, supplier: e2) }
+      let(:p1) { create(:product, supplier: s1, distributors:[d1, d2]) }
+      let(:p2) { create(:product, supplier: s2, distributors:[d1, d2]) }
 
       # create order for each enterprise
-      # let(:order) { create(:order, distributor: d1, bill_address: create(:address)) }
+      let(:o1) do
+        o = create(:order, distributor: d1, bill_address: create(:address))
+        create(:line_item, order: o, product: p1)
+        o
+      end
+      let(:o2) do
+        o = create(:order, distributor: d2, bill_address: create(:address))
+        create(:line_item, order: o, product: p1)
+        o
+      end
 
       subject { user }
       let(:user){ nil }
 
-      context "when is an enterprise user" do
-        # create enterprise1 user without full admin access
+      context "when is a supplier enterprise user" do
+        # create supplier_enterprise1 user without full admin access
         let (:user) do
           user = create(:user)
           user.spree_roles = []
-          e1.enterprise_roles.build(user: user).save
+          s1.enterprise_roles.build(user: user).save
           user
         end
 
@@ -64,13 +74,26 @@ module Spree
         it "should be able to read/write Classifications on a product" do
           should have_ability([:admin, :index, :read, :create, :edit], for: Spree::Classification)
         end
-
-        #TODO: definitely should check this on enterprise_roles
-        it "should be able to read their enterprises' orders" do
-          # should have_ability([:admin, :index, :read], for: o1) 
-        end
-        
       end
+
+      context "when is a distributor enterprise user" do
+        # create distributor_enterprise1 user without full admin access
+        let (:user) do
+          user = create(:user)
+          user.spree_roles = []
+          d1.enterprise_roles.build(user: user).save
+          user
+        end
+
+        it "should be able to read/write their enterprises' orders" do
+          should have_ability([:admin, :index, :read, :edit], for: o1) 
+        end
+
+        it "should not be able to read/write other enterprises' orders" do
+          should_not have_ability([:admin, :index, :read, :edit], for: o2) 
+        end
+      end
+
     end
   end
 end