From f81f4b7e4a26988b580aa7fa51e0de2faacd54f2 Mon Sep 17 00:00:00 2001
From: Kristina Lim <kristinalim.ph@gmail.com>
Date: Thu, 1 Nov 2018 22:35:27 +0800
Subject: [PATCH] Authorize filters before generating enterprise fee report

---
 .../enterprise_fee_summary_report_controller.rb | 11 +++++++++++
 config/locales/en.yml                           |  1 +
 .../enterprise_fee_summary/authorizer.rb        | 11 +++++++++--
 ...rprise_fee_summary_report_controller_spec.rb | 17 ++++++++++++++++-
 4 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/app/controllers/spree/admin/reports/enterprise_fee_summary_report_controller.rb b/app/controllers/spree/admin/reports/enterprise_fee_summary_report_controller.rb
index f0236c21a3..948c7ce3f5 100644
--- a/app/controllers/spree/admin/reports/enterprise_fee_summary_report_controller.rb
+++ b/app/controllers/spree/admin/reports/enterprise_fee_summary_report_controller.rb
@@ -1,6 +1,7 @@
 require "open_food_network/reports"
 require "order_management/reports/enterprise_fee_summary/parameters"
 require "order_management/reports/enterprise_fee_summary/permissions"
+require "order_management/reports/enterprise_fee_summary/authorizer"
 require "order_management/reports/enterprise_fee_summary/report_service"
 require "order_management/reports/enterprise_fee_summary/renderers/csv_renderer"
 require "order_management/reports/enterprise_fee_summary/renderers/html_renderer"
@@ -11,13 +12,19 @@ module Spree
       class EnterpriseFeeSummaryReportController < BaseController
         before_filter :load_report_parameters, only: [:index]
         before_filter :load_permissions, only: [:index]
+        before_filter :load_authorizer, only: [:index]
 
         def index
           return render_report_form if params[:report].blank?
           return respond_to_invalid_parameters unless @report_parameters.valid?
 
+          @authorizer.authorize!
           @report = report_klass::ReportService.new(@report_parameters, report_renderer_klass)
+
           render_report
+        rescue OpenFoodNetwork::Reports::Authorizer::ParameterNotAllowedError => e
+          flash[:error] = e.message
+          render_report_form
         end
 
         private
@@ -47,6 +54,10 @@ module Spree
           @permissions = report_klass::Permissions.new(spree_current_user)
         end
 
+        def load_authorizer
+          @authorizer = report_klass::Authorizer.new(@report_parameters, @permissions)
+        end
+
         def render_report
           return render_html_report unless @report.renderer.independent_file?
           send_data(@report.render, filename: @report.filename)
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 7136e06dab..b309175379 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2694,6 +2694,7 @@ See the %{link} to find out more about %{sitename}'s features and to start using
     reports:
       enterprise_fee_summary:
         date_end_before_start_error: "must be after start"
+        parameter_not_allowed_error: "You are not authorized to use one or more selected filters for this report."
         fee_calculated_on_transfer_through_all: "All"
         fee_type:
           payment_method: "Payment Transaction"
diff --git a/lib/order_management/reports/enterprise_fee_summary/authorizer.rb b/lib/order_management/reports/enterprise_fee_summary/authorizer.rb
index c2b7a36919..073c0282b5 100644
--- a/lib/order_management/reports/enterprise_fee_summary/authorizer.rb
+++ b/lib/order_management/reports/enterprise_fee_summary/authorizer.rb
@@ -4,6 +4,10 @@ module OrderManagement
   module Reports
     module EnterpriseFeeSummary
       class Authorizer < OpenFoodNetwork::Reports::Authorizer
+        @i18n_scope = "order_management.reports.enterprise_fee_summary"
+
+        PARAMETER_NOT_ALLOWED_ERROR = I18n.t("parameter_not_allowed_error", scope: @i18n_scope)
+
         def authorize!
           authorize_by_distribution!
           authorize_by_fee!
@@ -24,8 +28,11 @@ module OrderManagement
         end
 
         def require_ids_allowed(array, allowed_objects)
-          raise OpenFoodNetwork::Reports::Authorizer::ParameterNotAllowedError \
-            if (array - allowed_objects.map(&:id).map(&:to_s)).any?
+          error_klass = OpenFoodNetwork::Reports::Authorizer::ParameterNotAllowedError
+          error_message = PARAMETER_NOT_ALLOWED_ERROR
+          ids_allowed = (array - allowed_objects.map(&:id).map(&:to_s)).blank?
+
+          raise error_klass, error_message unless ids_allowed
         end
       end
     end
diff --git a/spec/controllers/spree/admin/reports/enterprise_fee_summary_report_controller_spec.rb b/spec/controllers/spree/admin/reports/enterprise_fee_summary_report_controller_spec.rb
index 7b058d233e..7905a5354e 100644
--- a/spec/controllers/spree/admin/reports/enterprise_fee_summary_report_controller_spec.rb
+++ b/spec/controllers/spree/admin/reports/enterprise_fee_summary_report_controller_spec.rb
@@ -6,7 +6,7 @@ describe Spree::Admin::Reports::EnterpriseFeeSummaryReportController, type: :con
   let(:current_user) { admin }
 
   before do
-    allow(controller).to receive(:spree_current_user) { admin }
+    allow(controller).to receive(:spree_current_user) { current_user }
   end
 
   describe "#index" do
@@ -37,6 +37,21 @@ describe Spree::Admin::Reports::EnterpriseFeeSummaryReportController, type: :con
         expect(response).to render_template(view_template_path)
       end
     end
+
+    context "when some parameters are now allowed" do
+      let!(:distributor) { create(:distributor_enterprise) }
+      let!(:other_distributor) { create(:distributor_enterprise) }
+
+      let(:current_user) { distributor.owner }
+
+      it "renders the report form with an error" do
+        get :index, report: { distributor_ids: [other_distributor.id] }, report_format: "csv"
+
+        expect(flash[:error]).to eq(report_klass::Authorizer::PARAMETER_NOT_ALLOWED_ERROR)
+        expect(response)
+          .to render_template("spree/admin/reports/enterprise_fee_summary_report/index")
+      end
+    end
   end
 
   def i18n_scope