From e48cdeba20cc836f1c9ade2d29628635ac126019 Mon Sep 17 00:00:00 2001
From: Gaetan Craig-Riou <gaetan.riou@gmail.com>
Date: Wed, 13 Mar 2024 16:08:57 +1100
Subject: [PATCH] Fix product related permissions

---
 lib/open_food_network/permissions.rb          | 26 ++++++++++---------
 .../lib/open_food_network/permissions_spec.rb | 20 +++++++-------
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/lib/open_food_network/permissions.rb b/lib/open_food_network/permissions.rb
index 27a0312a7f..87f43f052f 100644
--- a/lib/open_food_network/permissions.rb
+++ b/lib/open_food_network/permissions.rb
@@ -62,28 +62,26 @@ module OpenFoodNetwork
     def editable_products
       return Spree::Product.all if admin?
 
-      Spree::Product.where(supplier_id: @user.enterprises).or(
-        Spree::Product.where(supplier_id: related_enterprises_granting(:manage_products))
+      product_with_variants.where(spree_variants: { supplier_id: @user.enterprises }).or(
+        product_with_variants.where(
+          spree_variants: { supplier_id: related_enterprises_granting(:manage_products) }
+        )
       )
     end
 
     def visible_products
       return Spree::Product.all if admin?
 
-      Spree::Product.where(
-        supplier_id: @user.enterprises
-      ).or(
-        Spree::Product.where(
-          supplier_id: related_enterprises_granting(:manage_products) |
-            related_enterprises_granting(:add_to_order_cycle)
+      product_with_variants.where(spree_variants: { supplier_id: @user.enterprises }).or(
+        product_with_variants.where(
+          spree_variants: {
+            supplier_id: related_enterprises_granting(:manage_products) |
+              related_enterprises_granting(:add_to_order_cycle)
+          }
         )
       )
     end
 
-    def product_ids_supplied_by(supplier_ids)
-      Spree::Product.where(supplier_id: supplier_ids).select(:id)
-    end
-
     def managed_product_enterprises
       managed_and_related_enterprises_granting :manage_products
     end
@@ -176,5 +174,9 @@ module OpenFoodNetwork
     def managed_enterprise_products
       Spree::Product.managed_by(@user)
     end
+
+    def product_with_variants
+      Spree::Product.joins(:variants)
+    end
   end
 end
diff --git a/spec/lib/open_food_network/permissions_spec.rb b/spec/lib/open_food_network/permissions_spec.rb
index 457b1fd98f..d0c678a874 100644
--- a/spec/lib/open_food_network/permissions_spec.rb
+++ b/spec/lib/open_food_network/permissions_spec.rb
@@ -190,8 +190,8 @@ module OpenFoodNetwork
     end
 
     describe "#editable_products" do
-      let!(:p1) { create(:simple_product, supplier: create(:supplier_enterprise) ) }
-      let!(:p2) { create(:simple_product, supplier: create(:supplier_enterprise) ) }
+      let!(:p1) { create(:simple_product, supplier_id: create(:supplier_enterprise).id ) }
+      let!(:p2) { create(:simple_product, supplier_id: create(:supplier_enterprise).id ) }
 
       before do
         allow(permissions).to receive(:managed_enterprise_products) { Spree::Product.where('1=0') }
@@ -202,7 +202,7 @@ module OpenFoodNetwork
 
       it "returns products produced by managed enterprises" do
         allow(user).to receive(:admin?) { false }
-        allow(user).to receive(:enterprises) { [p1.supplier] }
+        allow(user).to receive(:enterprises) { [p1.variants.first.supplier] }
 
         expect(permissions.editable_products).to eq([p1])
       end
@@ -211,7 +211,7 @@ module OpenFoodNetwork
         allow(user).to receive(:admin?) { false }
         allow(user).to receive(:enterprises) { [] }
         allow(permissions).to receive(:related_enterprises_granting).
-          with(:manage_products) { Enterprise.where(id: p2.supplier) }
+          with(:manage_products) { Enterprise.where(id: p2.variants.first.supplier) }
 
         expect(permissions.editable_products).to eq([p2])
       end
@@ -226,9 +226,9 @@ module OpenFoodNetwork
     end
 
     describe "finding visible products" do
-      let!(:p1) { create(:simple_product, supplier: create(:supplier_enterprise) ) }
-      let!(:p2) { create(:simple_product, supplier: create(:supplier_enterprise) ) }
-      let!(:p3) { create(:simple_product, supplier: create(:supplier_enterprise) ) }
+      let!(:p1) { create(:simple_product, supplier_id: create(:supplier_enterprise).id ) }
+      let!(:p2) { create(:simple_product, supplier_id: create(:supplier_enterprise).id ) }
+      let!(:p3) { create(:simple_product, supplier_id: create(:supplier_enterprise).id ) }
 
       before do
         allow(permissions).to receive(:managed_enterprise_products) { Spree::Product.where("1=0") }
@@ -242,7 +242,7 @@ module OpenFoodNetwork
 
       it "returns products produced by managed enterprises" do
         allow(user).to receive(:admin?) { false }
-        allow(user).to receive(:enterprises) { Enterprise.where(id: p1.supplier_id) }
+        allow(user).to receive(:enterprises) { Enterprise.where(id: p1.variants.first.supplier_id) }
 
         expect(permissions.visible_products).to eq([p1])
       end
@@ -251,7 +251,7 @@ module OpenFoodNetwork
         allow(user).to receive(:admin?) { false }
         allow(user).to receive(:enterprises) { [] }
         allow(permissions).to receive(:related_enterprises_granting).
-          with(:manage_products) { Enterprise.where(id: p2.supplier) }
+          with(:manage_products) { Enterprise.where(id: p2.variants.first.supplier) }
 
         expect(permissions.visible_products).to eq([p2])
       end
@@ -260,7 +260,7 @@ module OpenFoodNetwork
         allow(user).to receive(:admin?) { false }
         allow(user).to receive(:enterprises) { [] }
         allow(permissions).to receive(:related_enterprises_granting).
-          with(:add_to_order_cycle) { Enterprise.where(id: p3.supplier).select(:id) }
+          with(:add_to_order_cycle) { Enterprise.where(id: p3.variants.first.supplier).select(:id) }
 
         expect(permissions.visible_products).to eq([p3])
       end