load customers of managed enterprises only

This commit is contained in:
Mohamed ABDELLANI
2023-03-22 10:23:52 +01:00
parent 15058299d8
commit da78e06a39
2 changed files with 35 additions and 7 deletions

View File

@@ -80,9 +80,12 @@ module Api
end
def visible_customers
current_api_user.customers.or(
Customer.where(enterprise_id: editable_enterprises)
)
Customer.of(managed_enterprise_ids)
end
def managed_enterprise_ids
@managed_enterprise_ids ||= Enterprise.managed_by(current_api_user).
select('enterprises.id')
end
def customer_params
@@ -106,10 +109,6 @@ module Api
attributes
end
def editable_enterprises
OpenFoodNetwork::Permissions.new(current_api_user).editable_enterprises.select(:id)
end
def include_options
fields = [params.fetch(:include, [])].flatten

View File

@@ -5,6 +5,8 @@ require "swagger_helper"
describe "Customers", type: :request do
let!(:enterprise1) { create(:enterprise, name: "The Farm") }
let!(:enterprise2) { create(:enterprise) }
let!(:enterprise3) { create(:enterprise) }
let!(:customer1) {
create(
:customer,
@@ -74,6 +76,33 @@ describe "Customers", type: :request do
end
end
context "as a user who manages the enterprise" do
let!(:user){ enterprise3.users.first }
before do
EnterpriseRole.create!(user: user, enterprise: enterprise1)
login_as user
end
it "returns customers of enterprises the user manages" do
get "/api/v1/customers"
expect(json_response_ids).to eq [customer1.id.to_s, customer2.id.to_s]
end
end
context "as an enterprise that has edit profile permission" do
let!(:user){ enterprise3.users.first }
before do
EnterpriseRelationship.create!(parent: enterprise1, child: enterprise3,
permissions_list: [:edit_profile])
login_as user
end
it "shoult not return customers of the managed enterprise" do
get "/api/v1/customers"
expect(json_response_ids).to eq []
end
end
context "with ransack params searching for specific customers" do
before { login_as enterprise2.owner }