From d80166e80d108dbb093d962976cc6e81d64b9268 Mon Sep 17 00:00:00 2001
From: Rob H <oeoeaio@gmail.com>
Date: Wed, 23 Jul 2014 12:06:30 +1000
Subject: [PATCH] Restrict access to show_provider_preferences action on
 payment methods controller

---
 .../payment_methods_controller_decorator.rb   |  2 +
 app/models/spree/ability_decorator.rb         |  4 +-
 .../admin/payment_methods_controller_spec.rb  | 58 +++++++++++++------
 3 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/app/controllers/spree/admin/payment_methods_controller_decorator.rb b/app/controllers/spree/admin/payment_methods_controller_decorator.rb
index 648d249d71..2e5dfa19fd 100644
--- a/app/controllers/spree/admin/payment_methods_controller_decorator.rb
+++ b/app/controllers/spree/admin/payment_methods_controller_decorator.rb
@@ -1,6 +1,7 @@
 module Spree
   module Admin
     PaymentMethodsController.class_eval do
+      skip_before_filter :load_resource, only: [:show_provider_preferences]
       before_filter :load_hubs, only: [:new, :edit, :update]
       create.before :load_hubs
 
@@ -31,6 +32,7 @@ module Spree
       def show_provider_preferences
         if params[:pm_id].present?
           @payment_method = PaymentMethod.find(params[:pm_id])
+          authorize! :show_provider_preferences, @payment_method
           payment_method_type = params[:provider_type]
           if @payment_method['type'].to_s != payment_method_type
             @payment_method.update_column(:type, payment_method_type)
diff --git a/app/models/spree/ability_decorator.rb b/app/models/spree/ability_decorator.rb
index 5d4644fafc..a04d966ee7 100644
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -43,8 +43,8 @@ class AbilityDecorator
       can [:admin, :index, :read, :create, :edit, :update, :fire], Spree::ReturnAuthorization
 
       # Enterprise User can only access payment methods for their distributors
-      can [:index, :create, :show_provider_preferences], Spree::PaymentMethod
-      can [:admin, :read, :update, :fire, :resend, :destroy], Spree::PaymentMethod do |payment_method|
+      can [:index, :create], Spree::PaymentMethod
+      can [:admin, :read, :update, :fire, :resend, :destroy, :show_provider_preferences], Spree::PaymentMethod do |payment_method|
         (user.enterprises & payment_method.distributors).any?
       end
 
diff --git a/spec/controllers/spree/admin/payment_methods_controller_spec.rb b/spec/controllers/spree/admin/payment_methods_controller_spec.rb
index ad85f590a5..f3266f69c2 100644
--- a/spec/controllers/spree/admin/payment_methods_controller_spec.rb
+++ b/spec/controllers/spree/admin/payment_methods_controller_spec.rb
@@ -2,10 +2,13 @@ require 'spec_helper'
 
 describe Spree::Admin::PaymentMethodsController do
   context "Requesting provider preference fields" do
+    let(:enterprise) { create(:distributor_enterprise) }
     let(:user) do
-      user = create(:user)
-      user.spree_roles << Spree::Role.find_or_create_by_name!('admin')
-      user
+      new_user = create(:user, email: 'enterprise@hub.com', password: 'blahblah', :password_confirmation => 'blahblah', )
+      new_user.spree_roles = [] # for some reason unbeknown to me, this new user gets admin permissions by default.
+      new_user.enterprise_roles.build(enterprise: enterprise).save
+      new_user.save
+      new_user
     end
 
     before do
@@ -15,25 +18,46 @@ describe Spree::Admin::PaymentMethodsController do
     context "on an existing payment method" do
       let(:payment_method) { create(:payment_method) }
 
-      context "without an altered provider type" do
-        it "renders provider settings with same payment method" do
+      context "where I have permission" do
+        before do
+          payment_method.distributors << user.enterprises.is_distributor.first
+        end
+
+        context "without an altered provider type" do
+          it "renders provider settings with same payment method" do
+            spree_get :show_provider_preferences, {
+              pm_id: payment_method.id,
+              provider_type: "Spree::PaymentMethod::Check"
+            }
+            expect(assigns(:payment_method)).to eq payment_method
+            expect(response).to render_template partial: '_provider_settings'
+          end
+        end
+
+        context "with an altered provider type" do
+          it "renders provider settings with a different payment method" do
+            spree_get :show_provider_preferences, {
+              pm_id: payment_method.id,
+              provider_type: "Spree::Gateway::Bogus"
+            }
+            expect(assigns(:payment_method)).not_to eq payment_method
+            expect(response).to render_template partial: '_provider_settings'
+          end
+        end
+      end
+
+      context "where I do not have permission" do
+        before do
+          payment_method.distributors = []
+        end
+
+        it "renders unauthorised" do
           spree_get :show_provider_preferences, {
             pm_id: payment_method.id,
             provider_type: "Spree::PaymentMethod::Check"
           }
           expect(assigns(:payment_method)).to eq payment_method
-          expect(response).to render_template partial: '_provider_settings'
-        end
-      end
-
-      context "with an altered provider type" do
-        it "renders provider settings with a different payment method" do
-          spree_get :show_provider_preferences, {
-            pm_id: payment_method.id,
-            provider_type: "Spree::Gateway::Bogus"
-          }
-          expect(assigns(:payment_method)).not_to eq payment_method
-          expect(response).to render_template partial: '_provider_settings'
+          expect(flash[:error]).to eq "Authorization Failure"
         end
       end
     end