Restricting access to orders within Xero Invoices Report

Managers of suppliers should not be able to generate xero invoices for orders they supply products for

app/controllers/spree/admin/reports_controller_decorator.rb

@@ -262,9 +262,7 @@ Spree::Admin::ReportsController.class_eval do
     @distributors = Enterprise.is_distributor.managed_by(spree_current_user)
     @order_cycles = OrderCycle.active_or_complete.accessible_by(spree_current_user).order('orders_close_at DESC')
 
-    @search = Spree::Order.complete.managed_by(spree_current_user).order('id DESC').search(params[:q])
-    orders = @search.result
-    @report = OpenFoodNetwork::XeroInvoicesReport.new orders, params
+    @report = OpenFoodNetwork::XeroInvoicesReport.new spree_current_user, params
     render_report(@report.header, @report.table, params[:csv], "xero_invoices_#{timestamp}.csv")
   end
 

app/views/spree/admin/reports/xero_invoices.html.haml

@@ -1,4 +1,4 @@
-= form_for @search, url: spree.xero_invoices_admin_reports_path do |f|
+= form_for @report.search, url: spree.xero_invoices_admin_reports_path do |f|
   = render 'date_range_form', f: f
 
   .row

lib/open_food_network/xero_invoices_report.rb

@@ -1,7 +1,7 @@
 module OpenFoodNetwork
   class XeroInvoicesReport
-    def initialize(orders, opts={})
-      @orders = orders
+    def initialize(user, opts={})
+      @user = user
 
       @opts = opts.
               reject { |k, v| v.blank? }.
@@ -15,10 +15,19 @@ module OpenFoodNetwork
       %w(*ContactName EmailAddress POAddressLine1 POAddressLine2 POAddressLine3 POAddressLine4 POCity PORegion POPostalCode POCountry *InvoiceNumber Reference *InvoiceDate *DueDate InventoryItemCode *Description *Quantity *UnitAmount Discount *AccountCode *TaxType TrackingName1 TrackingOption1 TrackingName2 TrackingOption2 Currency BrandingTheme Paid?)
     end
 
+    def search
+      permissions = OpenFoodNetwork::Permissions.new(@user)
+      permissions.editable_orders.complete.not_state(:canceled).search(@opts[:q])
+    end
+
+    def orders
+      search.result.reorder('id DESC')
+    end
+
     def table
       rows = []
 
-      @orders.each_with_index do |order, i|
+      orders.each_with_index do |order, i|
         invoice_number = invoice_number_for(order, i)
         rows += detail_rows_for_order(order, invoice_number, @opts) if detail?
         rows += summary_rows_for_order(order, invoice_number, @opts)

spec/lib/open_food_network/xero_invoices_report_spec.rb

@@ -2,10 +2,12 @@ require 'open_food_network/xero_invoices_report'
 
 module OpenFoodNetwork
   describe XeroInvoicesReport do
-    subject { XeroInvoicesReport.new [] }
+    subject { XeroInvoicesReport.new user }
+
+    let(:user) { create(:user) }
 
     describe "option defaults" do
-      let(:report) { XeroInvoicesReport.new [], {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
+      let(:report) { XeroInvoicesReport.new user, {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
 
       around { |example| Timecop.travel(Time.zone.local(2015, 5, 5, 14, 0, 0)) { example.run } }
 
@@ -18,7 +20,7 @@ module OpenFoodNetwork
     end
 
     describe "summary rows" do
-      let(:report) { XeroInvoicesReport.new [], {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
+      let(:report) { XeroInvoicesReport.new user, {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
       let(:order) { double(:order) }
       let(:summary_rows) { report.send(:summary_rows_for_order, order, 1, {}) }
 
@@ -73,7 +75,7 @@ module OpenFoodNetwork
     end
 
     describe "finding account invoice adjustments" do
-      let(:report) { XeroInvoicesReport.new [], {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
+      let(:report) { XeroInvoicesReport.new user, {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
       let!(:order) { create(:order) }
       let(:billable_period) { create(:billable_period) }
       let(:shipping_method) { create(:shipping_method) }
@@ -100,7 +102,7 @@ module OpenFoodNetwork
       end
 
       describe "when an initial invoice number is given" do
-        subject { XeroInvoicesReport.new [], {initial_invoice_number: '123'} }
+        subject { XeroInvoicesReport.new user, {initial_invoice_number: '123'} }
 
         it "increments the number by the index" do
           subject.send(:invoice_number_for, order, 456).should == 579