Restrict access to show_provider_preferences action on payment methods controller

2026-01-28 21:07:16 +00:00 · 2014-07-23 12:06:30 +10:00
parent f19af52556
commit d80166e80d
3 changed files with 45 additions and 19 deletions
--- a/app/controllers/spree/admin/payment_methods_controller_decorator.rb
+++ b/app/controllers/spree/admin/payment_methods_controller_decorator.rb
@@ -1,6 +1,7 @@
 module Spree
  module Admin
    PaymentMethodsController.class_eval do
+      skip_before_filter :load_resource, only: [:show_provider_preferences]
      before_filter :load_hubs, only: [:new, :edit, :update]
      create.before :load_hubs

@@ -31,6 +32,7 @@ module Spree
      def show_provider_preferences
        if params[:pm_id].present?
          @payment_method = PaymentMethod.find(params[:pm_id])
+          authorize! :show_provider_preferences, @payment_method
          payment_method_type = params[:provider_type]
          if @payment_method['type'].to_s != payment_method_type
            @payment_method.update_column(:type, payment_method_type)
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -43,8 +43,8 @@ class AbilityDecorator
      can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::ReturnAuthorization

      # Enterprise User can only access payment methods for their distributors
-      can [:index, :create, :show_provider_preferences], Spree::PaymentMethod
-      can [:admin, :read, :update, :fire, :resend, :destroy], Spree::PaymentMethod do |payment_method|
+      can [:index, :create], Spree::PaymentMethod
+      can [:admin, :read, :update, :fire, :resend, :destroy, :show_provider_preferences], Spree::PaymentMethod do |payment_method|
        (user.enterprises & payment_method.distributors).any?
      end

--- a/spec/controllers/spree/admin/payment_methods_controller_spec.rb
+++ b/spec/controllers/spree/admin/payment_methods_controller_spec.rb
@@ -2,10 +2,13 @@ require 'spec_helper'

 describe Spree::Admin::PaymentMethodsController do
  context "Requesting provider preference fields" do
+    let(:enterprise) { create(:distributor_enterprise) }
    let(:user) do
-      user = create(:user)
-      user.spree_roles << Spree::Role.find_or_create_by_name!('admin')
-      user
+      new_user = create(:user, email: 'enterprise@hub.com', password: 'blahblah', :password_confirmation => 'blahblah', )
+      new_user.spree_roles = [] # for some reason unbeknown to me, this new user gets admin permissions by default.
+      new_user.enterprise_roles.build(enterprise: enterprise).save
+      new_user.save
+      new_user
    end

    before do
@@ -15,25 +18,46 @@ describe Spree::Admin::PaymentMethodsController do
    context "on an existing payment method" do
      let(:payment_method) { create(:payment_method) }

-      context "without an altered provider type" do
-        it "renders provider settings with same payment method" do
+      context "where I have permission" do
+        before do
+          payment_method.distributors << user.enterprises.is_distributor.first
+        end
+
+        context "without an altered provider type" do
+          it "renders provider settings with same payment method" do
+            spree_get :show_provider_preferences, {
+              pm_id: payment_method.id,
+              provider_type: "Spree::PaymentMethod::Check"
+            }
+            expect(assigns(:payment_method)).to eq payment_method
+            expect(response).to render_template partial: '_provider_settings'
+          end
+        end
+
+        context "with an altered provider type" do
+          it "renders provider settings with a different payment method" do
+            spree_get :show_provider_preferences, {
+              pm_id: payment_method.id,
+              provider_type: "Spree::Gateway::Bogus"
+            }
+            expect(assigns(:payment_method)).not_to eq payment_method
+            expect(response).to render_template partial: '_provider_settings'
+          end
+        end
+      end
+
+      context "where I do not have permission" do
+        before do
+          payment_method.distributors = []
+        end
+
+        it "renders unauthorised" do
          spree_get :show_provider_preferences, {
            pm_id: payment_method.id,
            provider_type: "Spree::PaymentMethod::Check"
          }
          expect(assigns(:payment_method)).to eq payment_method
-          expect(response).to render_template partial: '_provider_settings'
-        end
-      end
-
-      context "with an altered provider type" do
-        it "renders provider settings with a different payment method" do
-          spree_get :show_provider_preferences, {
-            pm_id: payment_method.id,
-            provider_type: "Spree::Gateway::Bogus"
-          }
-          expect(assigns(:payment_method)).not_to eq payment_method
-          expect(response).to render_template partial: '_provider_settings'
+          expect(flash[:error]).to eq "Authorization Failure"
        end
      end
    end