(feature) admin can buy product for himself

2025-02-20 14:54:15 +01:00 · 2022-11-04 12:13:53 +01:00 · 2022-11-04 12:13:53 +01:00 · 7c7ec0aa4c
commit 7c7ec0aa4c
parent 60580a2bae
8 changed files with 36 additions and 9 deletions
--- a/app/controllers/api/cart_controller.rb
+++ b/app/controllers/api/cart_controller.rb
@ -32,7 +32,7 @@ class API::CartController < API::ApiController
  end

  def set_offer
-    authorize @current_order, policy_class: CartPolicy
+    authorize CartContext.new(params[:customer_id], cart_params[:is_offered])
    @order = Cart::SetOfferService.new.call(@current_order, orderable, cart_params[:is_offered])
    render 'api/orders/show'
  end
--- a/app/frontend/src/javascript/api/cart.ts
+++ b/app/frontend/src/javascript/api/cart.ts
@ -24,7 +24,7 @@ export default class CartAPI {
  }

  static async setOffer (order: Order, orderableId: number, isOffered: boolean): Promise<Order> {
-    const res: AxiosResponse<Order> = await apiClient.put('/api/cart/set_offer', { order_token: order.token, orderable_id: orderableId, is_offered: isOffered });
+    const res: AxiosResponse<Order> = await apiClient.put('/api/cart/set_offer', { order_token: order.token, orderable_id: orderableId, is_offered: isOffered, customer_id: order.user?.id });
    return res?.data;
  }

--- a/app/frontend/src/javascript/components/cart/store-cart.tsx
+++ b/app/frontend/src/javascript/components/cart/store-cart.tsx
@ -181,7 +181,14 @@ const StoreCart: React.FC<StoreCartProps> = ({ onSuccess, onError, currentUser,
   * Change cart's customer by admin/manger
   */
  const handleChangeMember = (user: User): void => {
-    setCart({ ...cart, user: { id: user.id, role: 'member' } });
+    // if the selected user is the operator, he cannot offer products to himself
+    if (user.id === currentUser.id) {
+      Promise.all(cart.order_items_attributes.filter(item => item.is_offered).map(item => {
+        return CartAPI.setOffer(cart, item.orderable_id, false);
+      })).then((data) => setCart({ ...data[data.length - 1], user: { id: user.id, role: user.role } }));
+    } else {
+      setCart({ ...cart, user: { id: user.id, role: 'member' } });
+    }
  };

  /**
@ -205,7 +212,13 @@ const StoreCart: React.FC<StoreCartProps> = ({ onSuccess, onError, currentUser,
    return (checked: boolean) => {
      CartAPI.setOffer(cart, item.orderable_id, checked).then(data => {
        setCart(data);
-      }).catch(onError);
+      }).catch(e => {
+        if (e.match(/code 403/)) {
+          onError(t('app.public.store_cart.errors.unauthorized_offering_product'));
+        } else {
+          onError(e);
+        }
+      });
    };
  };

--- a/app/frontend/src/javascript/controllers/machines.js.erb
+++ b/app/frontend/src/javascript/controllers/machines.js.erb
@ -424,7 +424,7 @@ Application.Controllers.controller('ReserveMachineController', ['$scope', '$tran
    // the moment when the slot selection changed for the last time, used to trigger changes in the cart
    $scope.selectionTime = null;

-    // the last clicked event in the calender
+    // the last clicked event in the calendar
    $scope.selectedEvent = null;

    // the application global settings
--- a/app/frontend/src/javascript/lib/user.ts
+++ b/app/frontend/src/javascript/lib/user.ts
@ -13,9 +13,7 @@ export default class UserLib {
   * Check if the current user has privileged access for resources concerning the provided customer
   */
  isPrivileged = (customer: User): boolean => {
-    if (this.user?.role === 'admin') return true;
-
-    if (this.user?.role === 'manager') {
+    if (this.user?.role === 'admin' || this.user?.role === 'manager') {
      return (this.user?.id !== customer.id);
    }

--- a/app/policies/cart_context.rb
+++ b/app/policies/cart_context.rb
@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Pundit Additional context for authorizing a product offering
+class CartContext
+  attr_reader :customer_id, :is_offered
+
+  def initialize(customer_id, is_offered)
+    @customer_id = customer_id
+    @is_offered = is_offered
+  end
+
+  def policy_class
+    CartPolicy
+  end
+end
--- a/app/policies/cart_policy.rb
+++ b/app/policies/cart_policy.rb
@ -15,6 +15,6 @@ class CartPolicy < ApplicationPolicy
  end

  def set_offer?
-    user.privileged?
+    !record.is_offered || (user.privileged? && record.customer_id != user.id)
  end
 end
--- a/config/locales/app.public.en.yml
+++ b/config/locales/app.public.en.yml
@ -451,6 +451,7 @@ en:
          stock_limit_QUANTITY: "Only {QUANTITY} {QUANTITY, plural, =1{unit} other{units}} left in stock, please adjust the quantity of items."
          quantity_min_QUANTITY: "Minimum number of product was changed to {QUANTITY}, please adjust the quantity of items."
          price_changed_PRICE: "The product price was modified to {PRICE}"
+          unauthorized_offering_product: "You can't offer anything to yourself"
      orders_dashboard:
        heading: "My orders"
        sort: