From 19de8ca31989960bce1256c167d3e2341516fe96 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sbx.pm>
Date: Wed, 6 May 2020 09:58:08 +0200
Subject: [PATCH] fix: manager can offer slot to other users

---
 app/assets/javascripts/directives/cart.js.erb   | 14 ++++++++++++++
 app/assets/templates/shared/_cart.html.erb      |  2 +-
 app/controllers/api/prices_controller.rb        |  2 +-
 app/controllers/api/reservations_controller.rb  |  2 +-
 app/controllers/api/subscriptions_controller.rb |  2 +-
 app/models/reservation.rb                       |  2 +-
 6 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/app/assets/javascripts/directives/cart.js.erb b/app/assets/javascripts/directives/cart.js.erb
index 6dfba5c2d..8836bb53e 100644
--- a/app/assets/javascripts/directives/cart.js.erb
+++ b/app/assets/javascripts/directives/cart.js.erb
@@ -285,6 +285,20 @@ Application.Directives.directive('cart', [ '$rootScope', '$uibModal', 'dialogs',
           return false;
         };
 
+        /**
+         * Check if the currently logged user has the 'admin' role OR the 'manager' role, but is not taking reseravtion for himself
+         * @returns {boolean}
+         */
+        $scope.isAuthorized = function () {
+          if (AuthService.isAuthorized('admin')) return true;
+
+          if (AuthService.isAuthorized('manager')) {
+            return ($rootScope.currentUser.id !== $scope.user.id);
+          }
+
+          return false;
+        }
+
         /* PRIVATE SCOPE */
 
         /**
diff --git a/app/assets/templates/shared/_cart.html.erb b/app/assets/templates/shared/_cart.html.erb
index 1a883b8c0..33f28915f 100644
--- a/app/assets/templates/shared/_cart.html.erb
+++ b/app/assets/templates/shared/_cart.html.erb
@@ -16,7 +16,7 @@
       <div class="panel-body">
         <div class="font-sbold text-u-c">{{ 'app.shared.cart.datetime_to_time' | translate:{START_DATETIME:(slot.start | amDateFormat:'LLLL'), END_TIME:(slot.end | amDateFormat:'LT') } }}</div>
         <div class="text-base">{{ 'app.shared.cart.cost_of_TYPE' | translate:{TYPE:reservableType} }} <span ng-class="{'text-blue': !slot.promo, 'red': slot.promo}">{{slot.price | currency}}</span></div>
-        <div ng-show="isAuthorized(['admin', 'manager'])" class="m-t">
+        <div ng-show="isAuthorized()" class="m-t">
           <label for="offerSlot" class="control-label m-r" translate>{{ 'app.shared.cart.offer_this_slot' }}</label>
           <input bs-switch
                  ng-model="slot.offered"
diff --git a/app/controllers/api/prices_controller.rb b/app/controllers/api/prices_controller.rb
index d23f0624d..af2dafe0e 100644
--- a/app/controllers/api/prices_controller.rb
+++ b/app/controllers/api/prices_controller.rb
@@ -45,7 +45,7 @@ class API::PricesController < API::ApiController
       @amount = { elements: nil, total: 0, before_coupon: 0 }
     else
       reservable = price_parameters[:reservable_type].constantize.find(price_parameters[:reservable_id])
-      @amount = Price.compute(current_user.admin?,
+      @amount = Price.compute(current_user.admin? || (current_user.manager? && current_user.id != user.id),
                               user,
                               reservable,
                               price_parameters[:slots_attributes] || [],
diff --git a/app/controllers/api/reservations_controller.rb b/app/controllers/api/reservations_controller.rb
index 45dc86d39..4c3bfd449 100644
--- a/app/controllers/api/reservations_controller.rb
+++ b/app/controllers/api/reservations_controller.rb
@@ -29,7 +29,7 @@ class API::ReservationsController < API::ApiController
   # Managers can create reservations for other users
   def create
     user_id = current_user.admin? || current_user.manager? ? params[:reservation][:user_id] : current_user.id
-    amount = transaction_amount(current_user.admin?, user_id)
+    amount = transaction_amount(current_user.admin? || (current_user.manager? && current_user.id != user_id), user_id)
 
     authorize ReservationContext.new(Reservation, amount, user_id)
 
diff --git a/app/controllers/api/subscriptions_controller.rb b/app/controllers/api/subscriptions_controller.rb
index 182edb105..de406730b 100644
--- a/app/controllers/api/subscriptions_controller.rb
+++ b/app/controllers/api/subscriptions_controller.rb
@@ -14,7 +14,7 @@ class API::SubscriptionsController < API::ApiController
   # Managers can create subscriptions for other users
   def create
     user_id = current_user.admin? || current_user.manager? ? params[:subscription][:user_id] : current_user.id
-    amount = transaction_amount(current_user.admin?, user_id)
+    amount = transaction_amount(current_user.admin? || (current_user.manager? && current_user.id != user_id), user_id)
 
     authorize SubscriptionContext.new(Subscription, amount, user_id)
 
diff --git a/app/models/reservation.rb b/app/models/reservation.rb
index 951e86b92..e70cdfb10 100644
--- a/app/models/reservation.rb
+++ b/app/models/reservation.rb
@@ -35,7 +35,7 @@ class Reservation < ApplicationRecord
   # Generate an array of {Stripe::InvoiceItem} with the elements in the current reservation, price included.
   # The training/machine price is depending of the member's group, subscription and credits already used
   # @param on_site {Boolean} true if an admin triggered the call
-  # @param coupon_code {String} pass a valid code to appy a coupon
+  # @param coupon_code {String} pass a valid code to apply a coupon
   ##
   def generate_invoice_items(on_site = false, coupon_code = nil)
     # prepare the plan