Filter enterprise fee summary for user permissions

app/controllers/spree/admin/reports/enterprise_fee_summary_report_controller.rb

@@ -19,8 +19,8 @@ module Spree
           return respond_to_invalid_parameters unless @report_parameters.valid?
 
           @authorizer.authorize!
-          @report = report_klass::ReportService.new(@report_parameters, report_renderer_klass)
-
+          @report = report_klass::ReportService.new(@permissions, @report_parameters,
+                                                    report_renderer_klass)
           render_report
         rescue OpenFoodNetwork::Reports::Authorizer::ParameterNotAllowedError => e
           flash[:error] = e.message

lib/order_management/reports/enterprise_fee_summary/report_service.rb

@@ -9,15 +9,16 @@ module OrderManagement
       class ReportService
         delegate :render, :filename, to: :renderer
 
-        attr_accessor :parameters, :renderer_klass
+        attr_accessor :permissions, :parameters, :renderer_klass
 
-        def initialize(parameters, renderer_klass)
+        def initialize(permissions, parameters, renderer_klass)
+          @permissions = permissions
           @parameters = parameters
           @renderer_klass = renderer_klass
         end
 
         def enterprise_fees_by_customer
-          Scope.new.apply_filters(parameters).result
+          Scope.new.apply_filters(permission_filters).apply_filters(parameters).result
         end
 
         def enterprise_fee_type_totals
@@ -30,6 +31,10 @@ module OrderManagement
 
         private
 
+        def permission_filters
+          Parameters.new(order_cycle_ids: permissions.allowed_order_cycles.map(&:id))
+        end
+
         def enterprise_fee_type_total_list
           enterprise_fees_by_customer.map do |total_data|
             summarizer = EnterpriseFeeTypeTotalSummarizer.new(total_data)

spec/controllers/spree/admin/reports/enterprise_fee_summary_report_controller_spec.rb

@@ -1,6 +1,8 @@
 require "spec_helper"
 
 describe Spree::Admin::Reports::EnterpriseFeeSummaryReportController, type: :controller do
+  let(:report_klass) { OrderManagement::Reports::EnterpriseFeeSummary }
+
   let!(:admin) { create(:admin_user) }
 
   let(:current_user) { admin }
@@ -52,6 +54,22 @@ describe Spree::Admin::Reports::EnterpriseFeeSummaryReportController, type: :con
           .to render_template("spree/admin/reports/enterprise_fee_summary_report/index")
       end
     end
+
+    describe "filtering results based on permissions" do
+      let!(:distributor) { create(:distributor_enterprise) }
+      let!(:other_distributor) { create(:distributor_enterprise) }
+
+      let!(:order_cycle) { create(:simple_order_cycle, coordinator: distributor) }
+      let!(:other_order_cycle) { create(:simple_order_cycle, coordinator: other_distributor) }
+
+      let(:current_user) { distributor.owner }
+
+      it "applies permissions to report" do
+        get :index, report: {}, report_format: "csv"
+
+        expect(assigns(:permissions).allowed_order_cycles.to_a).to eq([order_cycle])
+      end
+    end
   end
 
   def i18n_scope

spec/lib/order_management/reports/enterprise_fee_summary/renderers/csv_renderer_spec.rb

@@ -1,14 +1,16 @@
 require "spec_helper"
 
 require "order_management/reports/enterprise_fee_summary/parameters"
+require "order_management/reports/enterprise_fee_summary/permissions"
 require "order_management/reports/enterprise_fee_summary/report_service"
 require "order_management/reports/enterprise_fee_summary/renderers/csv_renderer"
 
 describe OrderManagement::Reports::EnterpriseFeeSummary::Renderers::CsvRenderer do
   let(:report_klass) { OrderManagement::Reports::EnterpriseFeeSummary }
 
+  let!(:permissions) { report_klass::Permissions.new(current_user) }
   let!(:parameters) { report_klass::Parameters.new }
-  let!(:service) { report_klass::ReportService.new(parameters, described_class) }
+  let!(:service) { report_klass::ReportService.new(permissions, parameters, described_class) }
 
   let!(:enterprise_fee_type_totals) do
     instance = report_klass::ReportData::EnterpriseFeeTypeTotals.new
@@ -37,6 +39,8 @@ describe OrderManagement::Reports::EnterpriseFeeSummary::Renderers::CsvRenderer
     end
   end
 
+  let(:current_user) { nil }
+
   before do
     allow(service).to receive(:enterprise_fee_type_totals) { enterprise_fee_type_totals }
   end

spec/lib/order_management/reports/enterprise_fee_summary/renderers/html_renderer_spec.rb

@@ -1,14 +1,16 @@
 require "spec_helper"
 
 require "order_management/reports/enterprise_fee_summary/parameters"
+require "order_management/reports/enterprise_fee_summary/permissions"
 require "order_management/reports/enterprise_fee_summary/report_service"
 require "order_management/reports/enterprise_fee_summary/renderers/html_renderer"
 
 describe OrderManagement::Reports::EnterpriseFeeSummary::Renderers::HtmlRenderer do
   let(:report_klass) { OrderManagement::Reports::EnterpriseFeeSummary }
 
+  let!(:permissions) { report_klass::Permissions.new(current_user) }
   let!(:parameters) { report_klass::Parameters.new }
-  let!(:service) { report_klass::ReportService.new(parameters, described_class) }
+  let!(:service) { report_klass::ReportService.new(permissions, parameters, described_class) }
 
   let!(:enterprise_fee_type_totals) do
     instance = report_klass::ReportData::EnterpriseFeeTypeTotals.new
@@ -37,6 +39,8 @@ describe OrderManagement::Reports::EnterpriseFeeSummary::Renderers::HtmlRenderer
     end
   end
 
+  let(:current_user) { nil }
+
   before do
     allow(service).to receive(:enterprise_fee_type_totals) { enterprise_fee_type_totals }
   end

spec/lib/order_management/reports/enterprise_fee_summary/report_service_spec.rb

@@ -1,6 +1,7 @@
 require "spec_helper"
 
 require "order_management/reports/enterprise_fee_summary/report_service"
+require "order_management/reports/enterprise_fee_summary/permissions"
 require "order_management/reports/enterprise_fee_summary/parameters"
 
 describe OrderManagement::Reports::EnterpriseFeeSummary::ReportService do
@@ -76,13 +77,16 @@ describe OrderManagement::Reports::EnterpriseFeeSummary::ReportService do
   let!(:customer) { create(:customer, name: "Sample Customer") }
   let!(:another_customer) { create(:customer, name: "Another Customer") }
 
+  let!(:current_user) { create(:admin_user) }
+
   describe "grouping and sorting of entries" do
     let!(:customer_order) { prepare_order(customer: customer) }
     let!(:second_customer_order) { prepare_order(customer: customer) }
     let!(:other_customer_order) { prepare_order(customer: another_customer) }
 
-    let(:parameters) { OrderManagement::Reports::EnterpriseFeeSummary::Parameters.new }
-    let(:service) { described_class.new(parameters, nil) }
+    let(:permissions) { report_klass::Permissions.new(current_user) }
+    let(:parameters) { report_klass::Parameters.new }
+    let(:service) { described_class.new(permissions, parameters, nil) }
 
     it "groups and sorts entries correctly" do
       totals = service.enterprise_fee_type_totals
@@ -140,9 +144,57 @@ describe OrderManagement::Reports::EnterpriseFeeSummary::ReportService do
     end
   end
 
+  describe "filtering results based on permissions" do
+    let!(:distributor_a) do
+      create(:distributor_enterprise, name: "Distributor A", payment_methods: [payment_method],
+                                      shipping_methods: [shipping_method])
+    end
+    let!(:distributor_b) do
+      create(:distributor_enterprise, name: "Distributor B", payment_methods: [payment_method],
+                                      shipping_methods: [shipping_method])
+    end
+
+    let!(:order_cycle_a) { create(:simple_order_cycle, coordinator: coordinator) }
+    let!(:order_cycle_b) { create(:simple_order_cycle, coordinator: coordinator) }
+
+    let!(:variant_a) { prepare_variant(distributor: distributor_a, order_cycle: order_cycle_a) }
+    let!(:variant_b) { prepare_variant(distributor: distributor_b, order_cycle: order_cycle_b) }
+
+    let!(:order_a) { prepare_order(order_cycle: order_cycle_a, distributor: distributor_a) }
+    let!(:order_b) { prepare_order(order_cycle: order_cycle_b, distributor: distributor_b) }
+
+    let(:permissions) { report_klass::Permissions.new(current_user) }
+    let(:parameters) { report_klass::Parameters.new({}) }
+    let(:service) { described_class.new(permissions, parameters, nil) }
+
+    context "when admin" do
+      let!(:current_user) { create(:admin_user) }
+
+      it "includes all order cycles" do
+        totals = service.enterprise_fee_type_totals.list
+
+        expect_total_matches(totals, 2, fee_type: "Shipment")
+        expect_total_matches(totals, 1, fee_type: "Shipment", enterprise_name: "Distributor A")
+        expect_total_matches(totals, 1, fee_type: "Shipment", enterprise_name: "Distributor B")
+      end
+    end
+
+    context "when enterprise owner for distributor" do
+      let!(:current_user) { distributor_a.owner }
+
+      it "does not include unrelated order cycles" do
+        totals = service.enterprise_fee_type_totals.list
+
+        expect_total_matches(totals, 1, fee_type: "Shipment")
+        expect_total_matches(totals, 1, fee_type: "Shipment", enterprise_name: "Distributor A")
+      end
+    end
+  end
+
   describe "filters entries correctly" do
+    let(:permissions) { report_klass::Permissions.new(current_user) }
     let(:parameters) { report_klass::Parameters.new(parameters_attributes) }
-    let(:service) { described_class.new(parameters, nil) }
+    let(:service) { described_class.new(permissions, parameters, nil) }
 
     context "filtering by completion date" do
       let(:timestamp) { Time.zone.local(2018, 1, 5, 14, 30, 5) }