From c579d302d507dcf0ac7ad1c0bdb382e095d23ad0 Mon Sep 17 00:00:00 2001 From: Rob Harrington Date: Thu, 29 Oct 2015 16:48:16 +1100 Subject: [PATCH] Fixing customer info security for orders and distributors report --- .../spree/admin/reports_controller_decorator.rb | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/app/controllers/spree/admin/reports_controller_decorator.rb b/app/controllers/spree/admin/reports_controller_decorator.rb index bbadbe624e..09d4dd5698 100644 --- a/app/controllers/spree/admin/reports_controller_decorator.rb +++ b/app/controllers/spree/admin/reports_controller_decorator.rb @@ -128,8 +128,20 @@ Spree::Admin::ReportsController.class_eval do def orders_and_distributors prepare_date_params params - @search = Spree::Order.complete.not_state(:canceled).managed_by(spree_current_user).search(params[:q]) - orders = @search.result + @search = Spree::Order.complete.not_state(:canceled).search(params[:q]) + permissions = OpenFoodNetwork::Permissions.new(spree_current_user) + orders = permissions.visible_orders.merge(@search.result) + # If empty array is passed in, the where clause will return all line_items, which is bad + orders_with_hidden_details = + permissions.editable_orders.empty? ? orders : orders.where('id NOT IN (?)', permissions.editable_orders) + + orders.select{ |order| orders_with_hidden_details.include? order }.each do |order| + # TODO We should really be hiding customer code here too, but until we + # have an actual association between order and customer, it's a bit tricky + order.bill_address.assign_attributes(firstname: "HIDDEN", lastname: "", phone: "", address1: "", address2: "", city: "", zipcode: "", state: nil) + order.ship_address.assign_attributes(firstname: "HIDDEN", lastname: "", phone: "", address1: "", address2: "", city: "", zipcode: "", state: nil) + order.assign_attributes(email: "HIDDEN") + end @report = OpenFoodNetwork::OrderAndDistributorReport.new orders unless params[:csv]