Enterprise manager can edit products from enterprises it has manage_products permission on

2026-01-28 21:07:16 +00:00 · 2014-09-01 11:49:09 +10:00
parent b7708d750b
commit fe1c60ba47
3 changed files with 23 additions and 12 deletions
--- a/app/models/spree/ability_decorator.rb
+++ b/app/models/spree/ability_decorator.rb
@@ -43,12 +43,12 @@ class AbilityDecorator
    # Enterprise User can only access products that they are a supplier for
    can [:create], Spree::Product
    can [:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], Spree::Product do |product|
-      user.enterprises.include? product.supplier
+      OpenFoodNetwork::Permissions.new(user).managed_product_enterprises.include? product.supplier
    end

    can [:create], Spree::Variant
    can [:admin, :index, :read, :edit, :update, :search, :destroy], Spree::Variant do |variant|
-      user.enterprises.include? variant.product.supplier
+      OpenFoodNetwork::Permissions.new(user).managed_product_enterprises.include? variant.product.supplier
    end

    can [:admin, :index, :read, :create, :edit, :update_positions, :destroy], Spree::ProductProperty
--- a/spec/features/admin/bulk_product_update_spec.rb
+++ b/spec/features/admin/bulk_product_update_spec.rb
@@ -780,19 +780,19 @@ feature %q{
    end

    it "allows me to update a product" do
-      p = product_supplied
+      p = product_supplied_permitted

      visit '/admin/products/bulk_edit'
      first("div#columns_dropdown", :text => "COLUMNS").click
      first("div#columns_dropdown div.menu div.menu_item", text: "Available On").click

-      expect(page).to have_field "product_name", with: p.name
-      expect(page).to have_select "producer", selected: supplier_managed1.name
-      expect(page).to have_field "available_on", with: p.available_on.strftime("%F %T")
-      expect(page).to have_field "price", with: "10.0"
-      expect(page).to have_field "on_hand", with: "6"
+      within "tr#p_#{p.id}" do
+        expect(page).to have_field "product_name", with: p.name
+        expect(page).to have_select "producer", selected: supplier_permitted.name
+        expect(page).to have_field "available_on", with: p.available_on.strftime("%F %T")
+        expect(page).to have_field "price", with: "10.0"
+        expect(page).to have_field "on_hand", with: "6"

-      within("tr#p_#{product_supplied.id}") do
        fill_in "product_name", with: "Big Bag Of Potatoes"
        select(supplier_managed2.name, :from => 'producer')
        fill_in "available_on", with: (Date.today-3).strftime("%F %T")
--- a/spec/models/spree/ability_spec.rb
+++ b/spec/models/spree/ability_spec.rb
@@ -51,14 +51,17 @@ module Spree
      # create enterprises
      let(:s1) { create(:supplier_enterprise) }
      let(:s2) { create(:supplier_enterprise) }
+      let(:s_related) { create(:supplier_enterprise) }
      let(:d1) { create(:distributor_enterprise) }
      let(:d2) { create(:distributor_enterprise) }

      let(:p1) { create(:product, supplier: s1, distributors:[d1, d2]) }
      let(:p2) { create(:product, supplier: s2, distributors:[d1, d2]) }
+      let(:p_related) { create(:product, supplier: s_related) }

      let(:er1) { create(:enterprise_relationship, parent: s1, child: d1) }
      let(:er2) { create(:enterprise_relationship, parent: d1, child: s1) }
+      let(:er_p) { create(:enterprise_relationship, parent: s_related, child: s1, permissions_list: [:manage_products]) }

      subject { user }
      let(:user) { nil }
@@ -74,12 +77,20 @@ module Spree

        let(:order) {create(:order)}

-        it "should be able to read/write their enterprises' products" do
+        it "should be able to read/write their enterprises' products and variants" do
          should have_ability([:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], for: p1)
+          should have_ability([:admin, :index, :read, :edit, :update, :search, :destroy], for: p1.master)
        end

-        it "should not be able to read/write other enterprises' products" do
+        it "should be able to read/write related enterprises' products and variants with manage_products permission" do
+          er_p
+          should have_ability([:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], for: p_related)
+          should have_ability([:admin, :index, :read, :edit, :update, :search, :destroy], for: p_related.master)
+        end
+
+        it "should not be able to read/write other enterprises' products and variants" do
          should_not have_ability([:admin, :read, :update, :product_distributions, :bulk_edit, :bulk_update, :clone, :destroy], for: p2)
+          should_not have_ability([:admin, :index, :read, :edit, :update, :search, :destroy], for: p2.master)
        end

        it "should not be able to access admin actions on orders" do
@@ -247,7 +258,7 @@ module Spree
        end
      end

-      context 'Enterprise manager' do
+      context 'enterprise manager' do
        let (:user) do
          user = create(:user)
          user.spree_roles = []