raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-04-06 07:29:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
35,408 Commits 19 Branches 461 Tags
c72976b1e22e4b91a67df6f5ea4db7870e2da97e
Commit Graph

68 Commits

Author SHA1 Message Date
Greg Austic
c72976b1e2 Fix guest order cancellation redirecting to home page 
When a guest places an order and tries to cancel it from the order
confirmation page, the cancellation silently failed and redirected
to the home page. The guest was left unsure whether the order was
cancelled, and the hub received no cancellation notification.

Root cause: two missing pieces for guest (token-based) authorization:

1. The `:cancel` ability in Ability#add_shopping_abilities only checked
   `order.user == user`, ignoring the guest token. The `:read` and
   `:update` abilities already support `order.token && token == order.token`
   as a fallback — `:cancel` now does the same.

2. The `cancel` action called `authorize! :cancel, @order` without
   passing `session[:access_token]`, so even with the corrected ability
   the token was never evaluated.

Fixes #13817

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-27 09:05:47 -04:00
Ahmed Ejaz
715a8f421a 14081: fix permission issue for deleting manager 2026-03-21 03:38:38 +05:00
Rachel Arnould
27be0f6fd1 Merge pull request #13912 from dacook/sourced-variant1-13887 
Create linked variants
 2026-03-20 10:59:46 +01:00
Gaetan Craig-Riou
c134bbf49b Add missing ability for credit customer 
Fix the specs to use a non super admin user, so it should catch missing
ability in the future.
 2026-03-11 15:34:27 +11:00
David Cook
e9ce2df5a9 Rename 'source variant' to linked variant (in most places) 
There are two types of linked variant associations: source and target, so we need to keep the name there.
But when cloning a variant and retaining a link as source,  we will prefer the general term 'linked variant'. Hopefully this name works well.
 2026-03-11 11:09:13 +11:00
David Cook
940aa57daf Set up permissions for creating source variants 2026-03-11 11:07:08 +11:00
Gaetan Craig-Riou
fec5516fce Backoffice customer, Add pop up to list customer payments 2026-03-10 16:07:42 +11:00
Gaetan Craig-Riou
be7be9bbc6 Add api endpoing to create customer transactions 
Plus specs and documentation
 2026-03-10 16:07:41 +11:00
Cillian O'Ruanaidh
f1071575cd Remove Angular from Enterprise > Settings > Users section 2026-03-04 10:28:36 +11:00
Ahmed Ejaz
99e238d92d Improve reports AJAX search safety, permissions, and TomSelect UX 
- Sanitize AJAX search queries to safely support wildcard searches (ILIKE)
- Centralize reports search actions in Spree::Ability and reuse across roles
- Fix TomSelect remote loading to fetch on dropdown open and typing
- Surface HTTP errors in TomSelect via showHttpError and improve error handling
- Update dropdown behavior to show proper “no results” feedback
- Move reports AJAX specs to request specs and expand pagination coverage
- Simplify searchable dropdown component attribute passing
 2026-02-04 02:25:41 +05:00
Ahmed Ejaz
a3c08ceb7c Add AJAX search functionality for enterprise fees and related entities in reports 2025-12-30 01:25:25 +05:00
Gaetan Craig-Riou
460d109bd2 Update product ability 
A user has product permission if it is a supplier of at least one of the
product's variants
 2025-11-11 11:35:19 +11:00
Gaetan Craig-Riou
1a68236c3c Add variant_tag_rule ability 
It's needed to allow enterprise user to get a tag autocomplete. Classic
mistake of not testing with a non superadmin user.
 2025-11-03 14:25:48 +11:00
Rachel Arnould
c4c266246c Merge pull request #13507 from rioug/tag-rules-remove-angular 
[Variant Tags] Remove angular from tag rule admin page
 2025-10-15 23:16:05 +02:00
Maikel Linke
7a12e7426f Pass actors instead of AR associations to Flipper 
Apparently they removed support for checking collections of actors.
 2025-10-14 13:32:51 +11:00
Gaetan Craig-Riou
7e48007d09 Add new tag group and add rule to tag group 2025-09-24 10:40:43 +10:00
Gaetan Craig-Riou
7087d1b290 Add default tag rule 
I tried to leverage turbo as much as possible
 2025-09-24 10:38:53 +10:00
Gaetan Craig-Riou
cd8b7cd239 First step disable inventory 2025-07-09 11:35:26 +10:00
Ahmed Ejaz
7725fae992 Refactor order cycle and order management abilities to improve producer edit permissions 2025-06-29 19:13:31 +05:00
Ahmed Ejaz
020d90b957 Enhance line item management abilities by consolidating permissions for Spree::Order 2025-06-21 16:19:31 +05:00
Ahmed Ejaz
a37e08c2fd Refactor order management permissions for producers 
Introduces granular permissions control for producers editing orders:

- Adds new :edit_as_producer_only permission for suppliers
- Refactors ability checks to clearly separate producer vs admin/distributor access
- Updates order views to properly restrict actions based on user role
- Prevents admins from being restricted by producer-only edit mode
 2025-06-21 16:16:58 +05:00
Maikel Linke
be312246ec Stop referring to stock movements 2025-05-13 15:24:26 +10:00
Ahmed Ejaz
213209b460 hide customer info on bulk orders page 2025-04-13 21:35:55 +05:00
Ahmed Ejaz
ccfd0edbf1 fix lint issues 2025-04-13 21:35:55 +05:00
Ahmed Ejaz
3e71f8293c add bulk_management ability 2025-04-13 21:35:55 +05:00
Ahmed Ejaz
19c5fec9a9 add ability update supplier line_items in orders 2025-04-13 21:35:55 +05:00
Ahmed Ejaz
0a61910cf6 add ability to view supplier products containing orders 2025-04-13 21:35:55 +05:00
David Cook
447ff3cffd Show list of products to import 
If there's a matching product in OFN already, a link will appear.
 2025-02-06 16:28:15 +11:00
Maikel Linke
54f83b45c8 Replace has_spree_role? with simpler admin? 
We have only one role, so let's get rid of the unneeded method.

Now we are in a better place to get rid of Spree::Role and replace it
with a simple boolean.
 2024-12-19 09:19:01 +11:00
Ahmed Ejaz
654263a823 add systems spec 2024-11-15 11:09:56 +01:00
Maikel Linke
4b1d7d8a41 Remove dead permission to access StockLocation 
We don't have any UI to edit stock locations. So this ability is unused.
 2024-10-03 08:24:15 +10:00
Filipe
562a24524b Merge pull request #12848 from rioug/12770-product-preview 
Product preview
 2024-09-19 15:20:18 -06:00
David Cook
a9ad6a2851 Grant product managers ability to create reports 
We missed this in c31416c, oops.
 2024-09-17 13:08:49 +10:00
Gaetan Craig-Riou
a25937321a Remove ability of any admin user to see all product 
And fix related spec
 2024-09-17 11:46:55 +10:00
Maikel Linke
c31416c536 Separate showing and rendering report 2024-08-16 14:37:57 +10:00
wandji20
a85cfab506 Remove awesome nested set gem and dependencies [OFN-11636] 2024-08-12 18:47:16 +01:00
Gaetan Craig-Riou
859f7efd02 Fix Spree:Ability 2024-07-03 10:17:49 +10:00
Ahmed Ejaz
349862c72e 11987: fix specs 2024-06-20 13:41:41 +05:00
Ahmed Ejaz
e932dabacb 12398: fix failing specs 2024-05-30 14:17:57 +05:00
David Cook
b846d0f517 Add ability to bulk update products for product managers 
I forgot to do this in #12328 [BUU] Remove Stimulus Reflex from Products screen
 2024-04-24 10:56:30 +10:00
Maikel Linke
96ccea3691 Add controller to handle import of DFC products 
It's not doing anything yet, but this is the basic setup.
 2024-03-15 11:40:10 +11:00
Maikel Linke
4d8bb25f86 Allow enterprise users to disconnect their OIDC account 2024-02-22 10:21:58 +11:00
Maikel Linke
78e42ec664 Show Connected Apps only to enterprise managers 
Super-admins also saw that tab but connecting an app doesn't work unless
you are a manager of that enterprise.
 2024-01-11 12:20:40 +11:00
Matt-Yorkley
a93809b75f Remove associated abilities 2023-08-08 11:36:31 +01:00
Neal Chambers
e9f448fad9 Safely autocorrect Lint/AmbiguousOperatorPrecedence 
Inspecting 1480 files
...................................................................................................................................................................................................................................W..........................W........................................................W................W..............W................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Offenses:

app/models/calculator/flexi_rate.rb:38:7: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
      count * preferred_additional_item.to_f + preferred_first_item.to_f
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
app/models/enterprise.rb:362:12: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
    cat << "sells_" + sells
           ^^^^^^^^^^^^^^^^
app/models/enterprise.rb:496:21: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
    phone_number && "https://wa.me/" + phone_number.tr('+ ', '')
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
app/models/spree/ability.rb:27:33: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
          order.user == user || order.token && token == order.token
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
app/models/spree/ability.rb:30:33: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
          order.user == user || order.token && token == order.token
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
app/models/spree/line_item.rb:205:16: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
      (price + fees / quantity).round(2)
               ^^^^^^^^^^^^^^^
app/models/spree/preferences/store.rb:28:11: W: [Corrected] Lint/AmbiguousOperatorPrecedence: Wrap expressions with varying precedence with parentheses to avoid ambiguity.
          should_persist? && Spree::Preference.where(key: key).exists?
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1480 files inspected, 7 offenses detected, 7 offenses corrected
 2023-07-30 21:29:19 +09:00
Jean-Baptiste Bellet
2a81a9acfb Add ability for non super-admin user to see products_v3 page 2023-07-25 09:20:25 +02:00
Mohamed ABDELLANI
f68064480a authorize distributor manager to generate invoices 2023-07-06 17:36:13 +01:00
Mohamed ABDELLANI
3a9a023dea authorize enterprise users to access invoices page 2023-07-06 17:36:13 +01:00
Matt-Yorkley
a20277c3a7 Completely remove option_values and option_types from the codebase 2023-06-01 10:12:19 +01:00
Jean-Baptiste Bellet
7e306693a8 Use Rails standard naming: same name for the route and the method 2023-04-19 10:15:35 +02:00