Merge pull request #13419 from chahmedejaz/bugfix/13416-orders-page-inaccessible-by-admins

Orders page inaccessible as superadmin (error 504)
2026-01-31 21:37:16 +00:00 · 2025-07-14 13:50:51 +01:00
parent c0639b37bb e6b9373570
commit cf9ffd8931
5 changed files with 54 additions and 29 deletions
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -98,6 +98,7 @@ Metrics/ClassLength:
    - 'lib/reporting/reports/enterprise_fee_summary/enterprise_fees_with_tax_report_by_producer.rb'
    - 'lib/reporting/reports/enterprise_fee_summary/scope.rb'
    - 'lib/reporting/reports/xero_invoices/base.rb'
+    - 'app/services/permissions/order.rb'

 # Offense count: 30
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
--- a/app/assets/javascripts/admin/line_items/controllers/line_items_controller.js.coffee
+++ b/app/assets/javascripts/admin/line_items/controllers/line_items_controller.js.coffee
@@ -19,18 +19,6 @@ angular.module("admin.lineItems").controller 'LineItemsCtrl', ($scope, $timeout,
  $scope.page = 1
  $scope.per_page = $scope.per_page_options[0].id
  $scope.filterByVariantId = null
-  searchThrough = ["order_distributor_name_alias",
-    "order_bill_address_phone",
-    "order_bill_address_firstname",
-    "order_bill_address_lastname",
-    "order_bill_address_full_name",
-    "order_bill_address_full_name_reversed",
-    "order_bill_address_full_name_with_comma",
-    "order_bill_address_full_name_with_comma_reversed",
-    "variant_supplier_name",
-    "order_email",
-    "order_number",
-    "product_name"].join("_or_") + "_cont"

  $scope.confirmRefresh = ->
    LineItems.allSaved() || confirm(t("unsaved_changes_warning"))
@@ -75,11 +63,10 @@ angular.module("admin.lineItems").controller 'LineItemsCtrl', ($scope, $timeout,
    [formattedStartDate, formattedEndDate] = $scope.formatDates($scope.startDate, $scope.endDate)

    RequestMonitor.load LineItems.index(
-      "q[#{searchThrough}]": $scope.query,
-      "q[variant_id_eq]": $scope.filterByVariantId if $scope.filterByVariantId,
      "q[order_state_not_eq]": "canceled",
      "q[order_shipment_state_not_eq]": "shipped",
      "q[order_completed_at_not_null]": "true",
+      "q[variant_id_eq]": $scope.filterByVariantId if $scope.filterByVariantId,
      "q[order_distributor_id_eq]": $scope.distributorFilter,
      "q[variant_supplier_id_eq]": $scope.supplierFilter,
      "q[order_order_cycle_id_eq]": $scope.orderCycleFilter,
@@ -87,7 +74,8 @@ angular.module("admin.lineItems").controller 'LineItemsCtrl', ($scope, $timeout,
      "q[order_completed_at_lt]": if formattedEndDate then formattedEndDate else undefined,
      "q[s]": "order_completed_at desc",
      "page": $scope.page,
-      "per_page": $scope.per_page
+      "per_page": $scope.per_page,
+      "search_query": $scope.query
    )

  $scope.formatDates = (startDate, endDate) ->
--- a/app/controllers/admin/bulk_line_items_controller.rb
+++ b/app/controllers/admin/bulk_line_items_controller.rb
@@ -12,7 +12,7 @@ module Admin
      @line_items = order_permissions.
        editable_line_items.where(order_id: orders).
        includes(:variant).
-        ransack(params[:q]).result.order(:id)
+        ransack(line_items_search_query).result.order(:id)

      @pagy, @line_items = pagy(@line_items) if pagination_required?

@@ -88,5 +88,27 @@ module Admin
    def page
      params[:page] || 1
    end
+
+    def line_items_search_query
+      query = params.permit(q: {}).to_h[:q] || {}
+
+      search_fields_string = [
+        spree_current_user.admin? ? "order_distributor_name" : "order_distributor_name_alias",
+        "order_bill_address_phone",
+        "order_bill_address_firstname",
+        "order_bill_address_lastname",
+        "order_bill_address_full_name",
+        "order_bill_address_full_name_reversed",
+        "order_bill_address_full_name_with_comma",
+        "order_bill_address_full_name_with_comma_reversed",
+        "variant_supplier_name",
+        "order_email",
+        "order_number",
+        "product_name"
+      ].join("_or_")
+      search_query = "#{search_fields_string}_cont"
+
+      query.merge({ search_query => params[:search_query] })
+    end
  end
 end
--- a/app/services/permissions/order.rb
+++ b/app/services/permissions/order.rb
@@ -29,12 +29,17 @@ module Permissions

    # Any orders that the user can edit
    def editable_orders
-      orders = Spree::Order.joins(:distributor).where(
-        id: produced_orders.select(:id),
-        distributor: { enable_producers_to_edit_orders: true }
-      ).or(
-        managed_or_coordinated_orders_where_clause
-      )
+      orders = if @user.admin?
+                 # It returns all orders if the user is an admin
+                 managed_or_coordinated_orders_where_clause
+               else
+                 Spree::Order.joins(:distributor).where(
+                   id: produced_orders.select(:id),
+                   distributor: { enable_producers_to_edit_orders: true }
+                 ).or(
+                   managed_or_coordinated_orders_where_clause
+                 )
+               end

      filtered_orders(orders)
    end
@@ -45,13 +50,20 @@ module Permissions

    # Any line items that I can edit
    def editable_line_items
-      Spree::LineItem.editable_by_producers(
-        @permissions.managed_enterprises.select("enterprises.id")
-      ).or(
-        Spree::LineItem.where(
-          order_id: filtered_orders(managed_or_coordinated_orders_where_clause).select(:id)
-        )
+      managed_or_coordinated_line_items_where_clause = Spree::LineItem.where(
+        order_id: filtered_orders(managed_or_coordinated_orders_where_clause).select(:id)
      )
+
+      if @user.admin?
+        # It returns all line_items if the user is an admin
+        managed_or_coordinated_line_items_where_clause
+      else
+        Spree::LineItem.editable_by_producers(
+          @permissions.managed_enterprises.select("enterprises.id")
+        ).or(
+          managed_or_coordinated_line_items_where_clause
+        )
+      end
    end

    private
--- a/spec/services/permissions/order_spec.rb
+++ b/spec/services/permissions/order_spec.rb
@@ -27,7 +27,9 @@ RSpec.describe Permissions::Order do
  before { allow(OpenFoodNetwork::Permissions).to receive(:new) { basic_permissions } }

  context "with user cannot only manage line_items in orders" do
-    let(:user) { instance_double('Spree::User', can_manage_line_items_in_orders_only?: false) }
+    let(:user) do
+      instance_double('Spree::User', can_manage_line_items_in_orders_only?: false, admin?: false)
+    end

    describe "finding orders that are visible in reports" do
      let(:random_enterprise) { create(:distributor_enterprise) }