Update permissions on adjustments

The previous permissions assumed that an adjustment's "adjustable" could only be only line items or orders, and that's no longer true. It's now commonly a shipment or a payment as well.
2026-02-27 01:43:22 +00:00 · 2021-04-21 18:17:20 +01:00
parent 7da0dc0053
commit ecd433b343
2 changed files with 35 additions and 6 deletions
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -290,12 +290,8 @@ module Spree
      can [:destroy], Spree::Adjustment do |adjustment|
        if user.admin?
          true
-        elsif adjustment.adjustable.instance_of? Spree::Order
-          order = adjustment.adjustable
-          user.enterprises.include?(order.distributor) ||
-            order.order_cycle.andand.coordinated_by?(user)
-        elsif adjustment.adjustable.instance_of? Spree::LineItem
-          order = adjustment.adjustable.order
+        else
+          order = adjustment.order
          user.enterprises.include?(order.distributor) ||
            order.order_cycle.andand.coordinated_by?(user)
        end
--- a/spec/controllers/spree/admin/adjustments_controller_spec.rb
+++ b/spec/controllers/spree/admin/adjustments_controller_spec.rb
@@ -91,6 +91,39 @@ module Spree
      end
    end

+    describe "#delete" do
+      let!(:order) { create(:completed_order_with_totals) }
+      let(:payment_fee) { create(:adjustment, amount: 0.50, order: order, adjustable: order.payments.first) }
+
+      context "as an enterprise user with edit permissions on the order" do
+        before do
+          order.adjustments << payment_fee
+          controller_login_as_enterprise_user([order.distributor])
+        end
+
+        it "deletes the adjustment" do
+          spree_delete :destroy, order_id: order.number, id: payment_fee.id
+
+          expect(response).to redirect_to spree.admin_order_adjustments_path(order)
+          expect(order.reload.all_adjustments.count).to be_zero
+        end
+      end
+
+      context "as an enterprise user with no permissions on the order" do
+        before do
+          order.adjustments << payment_fee
+          controller_login_as_enterprise_user([create(:enterprise)])
+        end
+
+        it "is unauthorized, does not delete the adjustment" do
+          spree_delete :destroy, order_id: order.number, id: payment_fee.id
+
+          expect(response).to redirect_to unauthorized_path
+          expect(order.reload.all_adjustments.count).to eq 1
+        end
+      end
+    end
+
    describe "with a cancelled order" do
      let(:order) { create(:completed_order_with_totals) }
      let(:tax_rate) { create(:tax_rate, amount: 0.1, calculator: ::Calculator::DefaultTax.new) }