From d0585b4d0532a9c252faa8e1eae076283df7efc7 Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Thu, 24 Apr 2014 14:43:33 +1000
Subject: [PATCH] Admin order cycle listing does not show order cycles that
 enterprise users don't have access to

---
 app/models/order_cycle.rb                    |  6 ++++--
 app/views/admin/order_cycles/index.html.haml |  4 ++--
 spec/features/admin/order_cycles_spec.rb     | 11 ++++++++---
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/app/models/order_cycle.rb b/app/models/order_cycle.rb
index 317c092375..915580d7d8 100644
--- a/app/models/order_cycle.rb
+++ b/app/models/order_cycle.rb
@@ -79,11 +79,13 @@ class OrderCycle < ActiveRecord::Base
   end
 
   def suppliers
-    self.exchanges.incoming.map(&:sender).uniq
+    enterprise_ids = self.exchanges.incoming.pluck :sender_id
+    Enterprise.where('enterprises.id IN (?)', enterprise_ids)
   end
 
   def distributors
-    self.exchanges.outgoing.map(&:receiver).uniq
+    enterprise_ids = self.exchanges.outgoing.pluck :receiver_id
+    Enterprise.where('enterprises.id IN (?)', enterprise_ids)
   end
 
   def variants
diff --git a/app/views/admin/order_cycles/index.html.haml b/app/views/admin/order_cycles/index.html.haml
index 328d56d5aa..0e829e025c 100644
--- a/app/views/admin/order_cycles/index.html.haml
+++ b/app/views/admin/order_cycles/index.html.haml
@@ -37,12 +37,12 @@
           %td= order_cycle_form.text_field :orders_open_at, :class => 'datetimepicker', :value => order_cycle.orders_open_at
           %td= order_cycle_form.text_field :orders_close_at, :class => 'datetimepicker', :value => order_cycle.orders_close_at
           %td.suppliers
-            - order_cycle.suppliers.each do |s|
+            - order_cycle.suppliers.managed_by(spree_current_user).each do |s|
               = s.name
               %br/
           %td= order_cycle.coordinator.name
           %td.distributors
-            - order_cycle.distributors.each do |d|
+            - order_cycle.distributors.managed_by(spree_current_user).each do |d|
               = d.name
               %br/
 
diff --git a/spec/features/admin/order_cycles_spec.rb b/spec/features/admin/order_cycles_spec.rb
index fdd5c009d4..0244bc434e 100644
--- a/spec/features/admin/order_cycles_spec.rb
+++ b/spec/features/admin/order_cycles_spec.rb
@@ -462,17 +462,22 @@ feature %q{
       login_to_admin_as @new_user
     end
 
-    scenario "can view products I am coordinating" do
-      oc_user_coordinating = create(:simple_order_cycle, { coordinator: supplier1, name: 'Order Cycle 1' } )
+    scenario "viewing a list of order cycles I am coordinating" do
+      oc_user_coordinating = create(:simple_order_cycle, { suppliers: [supplier1, supplier2], coordinator: supplier1, distributors: [distributor1, distributor2], name: 'Order Cycle 1' } )
       oc_for_other_user = create(:simple_order_cycle, { coordinator: supplier2, name: 'Order Cycle 2' } )
 
       click_link "Order Cycles"
 
+      # I should see only the order cycle I am coordinating
       page.should have_content oc_user_coordinating.name
       page.should_not have_content oc_for_other_user.name
+
+      # The order cycle should not show enterprises that I don't manage
+      page.should_not have_selector 'td.suppliers',    text: supplier2.name
+      page.should_not have_selector 'td.distributors', text: distributor2.name
     end
 
-    scenario "can create a new order cycle" do
+    scenario "creating a new order cycle" do
       click_link "Order Cycles"
       click_link 'New Order Cycle'