From d5437e15082b31e10bbf4e51c16cad81a2489846 Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Wed, 14 Jan 2015 14:46:59 +1100
Subject: [PATCH] edit_profile permission no longer shows links to manage
 shipping methods, payment methods and enterprise fees for an enterprise

---
 app/models/spree/ability_decorator.rb         |  3 +++
 .../admin/enterprises/_actions.html.haml      |  6 ++---
 spec/features/admin/enterprises_spec.rb       | 25 +++++++++++++------
 spec/models/spree/ability_spec.rb             |  8 ++++++
 4 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/app/models/spree/ability_decorator.rb b/app/models/spree/ability_decorator.rb
index ca870f05b8..6c59887730 100644
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -54,6 +54,9 @@ class AbilityDecorator
     can [:read, :edit, :update, :bulk_update, :set_sells, :resend_confirmation], Enterprise do |enterprise|
       OpenFoodNetwork::Permissions.new(user).editable_enterprises.include? enterprise
     end
+    can [:manage_payment_methods, :manage_shipping_methods, :manage_enterprise_fees], Enterprise do |enterprise|
+      user.enterprises.include? enterprise
+    end
 
     # All enterprises can have fees, though possibly suppliers don't need them?
     can [:index, :create], EnterpriseFee
diff --git a/app/views/admin/enterprises/_actions.html.haml b/app/views/admin/enterprises/_actions.html.haml
index c41cf290bc..2ca78f75df 100644
--- a/app/views/admin/enterprises/_actions.html.haml
+++ b/app/views/admin/enterprises/_actions.html.haml
@@ -11,21 +11,21 @@
   %br/
 
 - if enterprise.is_distributor
-  - if can? :admin, Spree::PaymentMethod
+  - if can?(:admin, Spree::PaymentMethod) && can?(:manage_payment_methods, enterprise)
     = link_to_with_icon 'icon-chevron-right', 'Payment Methods', spree.admin_payment_methods_path(enterprise_id: enterprise.id)
     (#{enterprise.payment_methods.count})
     - if enterprise.payment_methods.count == 0
       %span.icon-exclamation-sign.with-tip{"data-powertip" => "This enterprise has no payment methods", style: "font-size: 16px;color: #DA5354"}
     %br/
 
-  - if can? :admin, Spree::ShippingMethod
+  - if can?(:admin, Spree::ShippingMethod) && can?(:manage_shipping_methods, enterprise)
     = link_to_with_icon 'icon-plane', 'Shipping Methods', spree.admin_shipping_methods_path(enterprise_id: enterprise.id)
     (#{enterprise.shipping_methods.count})
     - if enterprise.shipping_methods.count == 0
       %span.icon-exclamation-sign.with-tip{"data-powertip" => "This enterprise has shipping methods", style: "font-size: 16px;color: #DA5354"}
     %br/
 
-- if can? :admin, EnterpriseFee
+- if can?(:admin, EnterpriseFee) && can?(:manage_enterprise_fees, enterprise)
   = link_to_with_icon 'icon-money', 'Enterprise Fees', main_app.admin_enterprise_fees_path(enterprise_id: enterprise.id)
   (#{enterprise.enterprise_fees.count})
   - if enterprise.enterprise_fees.count == 0
diff --git a/spec/features/admin/enterprises_spec.rb b/spec/features/admin/enterprises_spec.rb
index 112052452d..dfd7afb6aa 100644
--- a/spec/features/admin/enterprises_spec.rb
+++ b/spec/features/admin/enterprises_spec.rb
@@ -430,15 +430,26 @@ feature %q{
       distributor1.reload.name.should == 'Eaterprises'
     end
 
-    scenario "editing enterprises I have permission to" do
-      click_link 'Enterprises'
-      within("#listing_enterprises tr.enterprise-#{distributor3.id}") { click_link 'Edit Profile' }
+    describe "enterprises I have edit permission for, but do not manage" do
+      it "allows me to edit them" do
+        click_link 'Enterprises'
+        within("#listing_enterprises tr.enterprise-#{distributor3.id}") { click_link 'Edit Profile' }
 
-      fill_in 'enterprise_name', :with => 'Eaterprises'
-      click_button 'Update'
+        fill_in 'enterprise_name', :with => 'Eaterprises'
+        click_button 'Update'
 
-      flash_message.should == 'Enterprise "Eaterprises" has been successfully updated!'
-      distributor3.reload.name.should == 'Eaterprises'
+        flash_message.should == 'Enterprise "Eaterprises" has been successfully updated!'
+        distributor3.reload.name.should == 'Eaterprises'
+      end
+
+      it "does not show links to manage payment methods, shipping methods or enterprise fees" do
+        click_link 'Enterprises'
+        within("#listing_enterprises tr.enterprise-#{distributor3.id}") do
+          page.should_not have_link 'Payment Methods'
+          page.should_not have_link 'Shipping Methods'
+          page.should_not have_link 'Enterprise Fees'
+        end
+      end
     end
 
     scenario "editing images for an enterprise" do
diff --git a/spec/models/spree/ability_spec.rb b/spec/models/spree/ability_spec.rb
index 92d52e8d73..4a05c56b87 100644
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -253,6 +253,14 @@ module Spree
           it "should be able to edit enterprises it has permission to" do
             should have_ability([:read, :edit, :update, :bulk_update, :set_sells, :resend_confirmation], for: d_related)
           end
+
+          it "should be able to manage shipping methods, payment methods and enterprise fees for enterprises it manages" do
+            should have_ability([:manage_shipping_methods, :manage_payment_methods, :manage_enterprise_fees], for: d1)
+          end
+
+          it "should not be able to manage shipping methods, payment methods and enterprise fees for enterprises it has edit profile permission to" do
+            should_not have_ability([:manage_shipping_methods, :manage_payment_methods, :manage_enterprise_fees], for: d_related)
+          end
         end
 
         describe "variant overrides" do