authorize distributor manager to generate invoices

2026-01-29 21:17:17 +00:00 · 2023-07-04 09:38:47 +01:00
parent 11a4cd8613
commit f68064480a
2 changed files with 50 additions and 2 deletions
--- a/app/models/spree/ability.rb
+++ b/app/models/spree/ability.rb
@@ -29,7 +29,6 @@ module Spree
        can :update, Order do |order, token|
          order.user == user || order.token && token == order.token
        end
-        can [:index], :invoice
        can [:index, :read], Product
        can [:index, :read], ProductProperty
        can [:index, :read], Property
@@ -276,7 +275,7 @@ module Spree
      can [:admin, :bulk_management, :managed, :distribution], Spree::Order do
        user.admin? || user.enterprises.any?(&:is_distributor)
      end
-      can [:admin, :create, :show, :poll], :invoice
+      can [:admin, :index, :create, :show, :poll, :generate], :invoice
      can [:admin, :visible], Enterprise
      can [:admin, :index, :create, :update, :destroy], :line_item
      can [:admin, :index, :create], Spree::LineItem
--- a/spec/controllers/spree/admin/orders/invoices_spec.rb
+++ b/spec/controllers/spree/admin/orders/invoices_spec.rb
@@ -147,4 +147,53 @@ describe Spree::Admin::InvoicesController, type: :controller do
      end
    end
  end
+
+  describe "#generate" do
+    let(:user) { create(:user) }
+    let(:enterprise_user) { create(:user, enterprises: [create(:enterprise)]) }
+    let(:order) {
+      create(:order_with_distributor, bill_address: create(:address),
+                                      ship_address: create(:address))
+    }
+    let(:distributor) { order.distributor }
+    let(:params) { { order_id: order.number } }
+
+    context "as a normal user" do
+      before { allow(controller).to receive(:spree_current_user) { user } }
+
+      it "should prevent me from generating invoices for the order" do
+        expect do
+          spree_get :generate, params
+        end.to change{ Invoice.count }.by(0)
+
+        expect(response).to redirect_to unauthorized_path
+      end
+    end
+
+    context "as an enterprise user" do
+      context "which is not a manager of the distributor for an order" do
+        before { allow(controller).to receive(:spree_current_user) { enterprise_user } }
+
+        it "should prevent me from generating invoices for the order" do
+          expect do
+            spree_get :generate, params
+          end.to change{ Invoice.count }.by(0)
+
+          expect(response).to redirect_to unauthorized_path
+        end
+      end
+
+      context 'which is a manager of the distributor for an order' do
+        before { allow(controller).to receive(:spree_current_user) { distributor.owner } }
+
+        it "should allow me to generate a new invoice for the order" do
+          expect do
+            spree_get :generate, params
+          end.to change{ Invoice.count }.by(1)
+
+          expect(response).to redirect_to spree.admin_dashboard_path
+        end
+      end
+    end
+  end
 end