Admin order cycle listing does not show order cycles that enterprise users don't have access to

2026-01-24 20:36:49 +00:00 · 2014-04-24 14:43:33 +10:00
parent 2e51518b5b
commit d0585b4d05
3 changed files with 14 additions and 7 deletions
--- a/app/models/order_cycle.rb
+++ b/app/models/order_cycle.rb
@@ -79,11 +79,13 @@ class OrderCycle < ActiveRecord::Base
  end

  def suppliers
-    self.exchanges.incoming.map(&:sender).uniq
+    enterprise_ids = self.exchanges.incoming.pluck :sender_id
+    Enterprise.where('enterprises.id IN (?)', enterprise_ids)
  end

  def distributors
-    self.exchanges.outgoing.map(&:receiver).uniq
+    enterprise_ids = self.exchanges.outgoing.pluck :receiver_id
+    Enterprise.where('enterprises.id IN (?)', enterprise_ids)
  end

  def variants
--- a/app/views/admin/order_cycles/index.html.haml
+++ b/app/views/admin/order_cycles/index.html.haml
@@ -37,12 +37,12 @@
          %td= order_cycle_form.text_field :orders_open_at, :class => 'datetimepicker', :value => order_cycle.orders_open_at
          %td= order_cycle_form.text_field :orders_close_at, :class => 'datetimepicker', :value => order_cycle.orders_close_at
          %td.suppliers
-            - order_cycle.suppliers.each do |s|
+            - order_cycle.suppliers.managed_by(spree_current_user).each do |s|
              = s.name
              %br/
          %td= order_cycle.coordinator.name
          %td.distributors
-            - order_cycle.distributors.each do |d|
+            - order_cycle.distributors.managed_by(spree_current_user).each do |d|
              = d.name
              %br/

--- a/spec/features/admin/order_cycles_spec.rb
+++ b/spec/features/admin/order_cycles_spec.rb
@@ -462,17 +462,22 @@ feature %q{
      login_to_admin_as @new_user
    end

-    scenario "can view products I am coordinating" do
-      oc_user_coordinating = create(:simple_order_cycle, { coordinator: supplier1, name: 'Order Cycle 1' } )
+    scenario "viewing a list of order cycles I am coordinating" do
+      oc_user_coordinating = create(:simple_order_cycle, { suppliers: [supplier1, supplier2], coordinator: supplier1, distributors: [distributor1, distributor2], name: 'Order Cycle 1' } )
      oc_for_other_user = create(:simple_order_cycle, { coordinator: supplier2, name: 'Order Cycle 2' } )

      click_link "Order Cycles"

+      # I should see only the order cycle I am coordinating
      page.should have_content oc_user_coordinating.name
      page.should_not have_content oc_for_other_user.name
+
+      # The order cycle should not show enterprises that I don't manage
+      page.should_not have_selector 'td.suppliers',    text: supplier2.name
+      page.should_not have_selector 'td.distributors', text: distributor2.name
    end

-    scenario "can create a new order cycle" do
+    scenario "creating a new order cycle" do
      click_link "Order Cycles"
      click_link 'New Order Cycle'