From d115eb816e27eed62ea21c80a219112e3e8f81c0 Mon Sep 17 00:00:00 2001
From: Rob Harrington <oeoeaio@gmail.com>
Date: Thu, 19 Nov 2015 14:54:19 +1100
Subject: [PATCH] Restricting access to orders within Xero Invoices Report

Managers of suppliers should not be able to generate xero invoices for orders they supply products for
---
 .../spree/admin/reports_controller_decorator.rb   |  4 +---
 .../spree/admin/reports/xero_invoices.html.haml   |  2 +-
 lib/open_food_network/xero_invoices_report.rb     | 15 ++++++++++++---
 .../xero_invoices_report_spec.rb                  | 12 +++++++-----
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/app/controllers/spree/admin/reports_controller_decorator.rb b/app/controllers/spree/admin/reports_controller_decorator.rb
index b050993e97..97d671fd48 100644
--- a/app/controllers/spree/admin/reports_controller_decorator.rb
+++ b/app/controllers/spree/admin/reports_controller_decorator.rb
@@ -262,9 +262,7 @@ Spree::Admin::ReportsController.class_eval do
     @distributors = Enterprise.is_distributor.managed_by(spree_current_user)
     @order_cycles = OrderCycle.active_or_complete.accessible_by(spree_current_user).order('orders_close_at DESC')
 
-    @search = Spree::Order.complete.managed_by(spree_current_user).order('id DESC').search(params[:q])
-    orders = @search.result
-    @report = OpenFoodNetwork::XeroInvoicesReport.new orders, params
+    @report = OpenFoodNetwork::XeroInvoicesReport.new spree_current_user, params
     render_report(@report.header, @report.table, params[:csv], "xero_invoices_#{timestamp}.csv")
   end
 
diff --git a/app/views/spree/admin/reports/xero_invoices.html.haml b/app/views/spree/admin/reports/xero_invoices.html.haml
index be58420e13..eca51fed4f 100644
--- a/app/views/spree/admin/reports/xero_invoices.html.haml
+++ b/app/views/spree/admin/reports/xero_invoices.html.haml
@@ -1,4 +1,4 @@
-= form_for @search, url: spree.xero_invoices_admin_reports_path do |f|
+= form_for @report.search, url: spree.xero_invoices_admin_reports_path do |f|
   = render 'date_range_form', f: f
 
   .row
diff --git a/lib/open_food_network/xero_invoices_report.rb b/lib/open_food_network/xero_invoices_report.rb
index f6155126cd..cb8953f01b 100644
--- a/lib/open_food_network/xero_invoices_report.rb
+++ b/lib/open_food_network/xero_invoices_report.rb
@@ -1,7 +1,7 @@
 module OpenFoodNetwork
   class XeroInvoicesReport
-    def initialize(orders, opts={})
-      @orders = orders
+    def initialize(user, opts={})
+      @user = user
 
       @opts = opts.
               reject { |k, v| v.blank? }.
@@ -15,10 +15,19 @@ module OpenFoodNetwork
       %w(*ContactName EmailAddress POAddressLine1 POAddressLine2 POAddressLine3 POAddressLine4 POCity PORegion POPostalCode POCountry *InvoiceNumber Reference *InvoiceDate *DueDate InventoryItemCode *Description *Quantity *UnitAmount Discount *AccountCode *TaxType TrackingName1 TrackingOption1 TrackingName2 TrackingOption2 Currency BrandingTheme Paid?)
     end
 
+    def search
+      permissions = OpenFoodNetwork::Permissions.new(@user)
+      permissions.editable_orders.complete.not_state(:canceled).search(@opts[:q])
+    end
+
+    def orders
+      search.result.reorder('id DESC')
+    end
+
     def table
       rows = []
 
-      @orders.each_with_index do |order, i|
+      orders.each_with_index do |order, i|
         invoice_number = invoice_number_for(order, i)
         rows += detail_rows_for_order(order, invoice_number, @opts) if detail?
         rows += summary_rows_for_order(order, invoice_number, @opts)
diff --git a/spec/lib/open_food_network/xero_invoices_report_spec.rb b/spec/lib/open_food_network/xero_invoices_report_spec.rb
index ed981b706f..1a397c1084 100644
--- a/spec/lib/open_food_network/xero_invoices_report_spec.rb
+++ b/spec/lib/open_food_network/xero_invoices_report_spec.rb
@@ -2,10 +2,12 @@ require 'open_food_network/xero_invoices_report'
 
 module OpenFoodNetwork
   describe XeroInvoicesReport do
-    subject { XeroInvoicesReport.new [] }
+    subject { XeroInvoicesReport.new user }
+
+    let(:user) { create(:user) }
 
     describe "option defaults" do
-      let(:report) { XeroInvoicesReport.new [], {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
+      let(:report) { XeroInvoicesReport.new user, {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
 
       around { |example| Timecop.travel(Time.zone.local(2015, 5, 5, 14, 0, 0)) { example.run } }
 
@@ -18,7 +20,7 @@ module OpenFoodNetwork
     end
 
     describe "summary rows" do
-      let(:report) { XeroInvoicesReport.new [], {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
+      let(:report) { XeroInvoicesReport.new user, {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
       let(:order) { double(:order) }
       let(:summary_rows) { report.send(:summary_rows_for_order, order, 1, {}) }
 
@@ -73,7 +75,7 @@ module OpenFoodNetwork
     end
 
     describe "finding account invoice adjustments" do
-      let(:report) { XeroInvoicesReport.new [], {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
+      let(:report) { XeroInvoicesReport.new user, {initial_invoice_number: '', invoice_date: '', due_date: '', account_code: ''} }
       let!(:order) { create(:order) }
       let(:billable_period) { create(:billable_period) }
       let(:shipping_method) { create(:shipping_method) }
@@ -100,7 +102,7 @@ module OpenFoodNetwork
       end
 
       describe "when an initial invoice number is given" do
-        subject { XeroInvoicesReport.new [], {initial_invoice_number: '123'} }
+        subject { XeroInvoicesReport.new user, {initial_invoice_number: '123'} }
 
         it "increments the number by the index" do
           subject.send(:invoice_number_for, order, 456).should == 579