- <% if shipment.delivery_date.blank? %>
- <%= link_to tracking_detail_path(shipment, status: 'delivered'), method: :patch, class: 'btn btn-success btn-xs' do %>
- Mark Delivered
+ <% if current_user.can_edit_order?(order) %>
+ <% if shipment.delivery_date.blank?%>
+ <%= link_to tracking_detail_path(shipment, status: 'delivered'), method: :patch, class: 'btn btn-success btn-xs' do %>
+ Mark Delivered
+ <% end %>
<% end %>
- <% end %>
- <%= link_to tracking_detail_path(shipment), method: :delete, class: "btn btn-danger btn-xs", data: confirm(title: "Deleting Tracking Number: #{shipment.tracking_number}") do %>
-
+ <%= link_to tracking_detail_path(shipment), method: :delete, class: "btn btn-danger btn-xs", data: confirm(title: "Deleting Tracking Number: #{shipment.tracking_number}") do %>
+
+ <% end %>
<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index b8df3127..f1c4dec1 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -61,7 +61,7 @@
end
end
- resources :orders, only: %i[index new create edit update] do
+ resources :orders, except: %i[destroy] do
collection do
get :rejected, :closed, :canceled
end
diff --git a/spec/controllers/orders_controller_spec.rb b/spec/controllers/orders_controller_spec.rb
deleted file mode 100644
index d2b741dd..00000000
--- a/spec/controllers/orders_controller_spec.rb
+++ /dev/null
@@ -1,4 +0,0 @@
-require "rails_helper"
-
-describe OrdersController, type: :controller do
-end
diff --git a/spec/fixtures/orders.yml b/spec/fixtures/orders.yml
index e0812ede..fdbb8347 100644
--- a/spec/fixtures/orders.yml
+++ b/spec/fixtures/orders.yml
@@ -47,3 +47,23 @@ received_order_with_order_details:
status: 5
ship_to_name: "Acme Receiver"
ship_to_address: "123 Fake St."
+
+acme_order:
+ organization: acme
+ user: acme_root
+ order_date: <%= Time.zone.now %>
+ created_at: <%= Time.zone.now %>
+ updated_at: <%= Time.zone.now %>
+ status: -1
+ ship_to_name: "Unsubmitted Order Receiver"
+ ship_to_address: "123 Fake St."
+
+acme_submitted_order:
+ organization: acme
+ user: acme_root
+ order_date: <%= Time.zone.now %>
+ created_at: <%= Time.zone.now %>
+ updated_at: <%= Time.zone.now %>
+ status: 1
+ ship_to_name: "Open Order Receiver"
+ ship_to_address: "123 Fake St."
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index b5d33ebe..c8337794 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -65,4 +65,71 @@
expect(foo_inc_root.member_at?(acme)).to be_falsey
end
end
+
+ describe "User::OrderManipulator" do
+ describe "#can_edit_order?" do
+ context "when order has not been shipped" do
+ let(:order) { orders(:acme_order) }
+ it "permits super_admin to edit" do
+ expect(root.can_edit_order?(order)).to be_truthy
+ end
+ it "permits acme_root to edit" do
+ expect(acme_root.can_edit_order?(order)).to be_truthy
+ end
+ it "permits acme_normal to edit" do
+ expect(acme_normal.can_edit_order?(order)).to be_truthy
+ end
+ it "denies non-org users to edit" do
+ expect(foo_inc_root.can_edit_order?(order)).to be_falsy
+ end
+ end
+ context "when order has been shipped" do
+ let(:order) { orders(:acme_submitted_order) }
+ it "permits super_admin to edit" do
+ expect(root.can_edit_order?(order)).to be_truthy
+ end
+ it "denies acme_root to edit" do
+ expect(acme_root.can_edit_order?(order)).to be_falsy
+ end
+ it "denies acme_normal to edit" do
+ expect(acme_normal.can_edit_order?(order)).to be_falsy
+ end
+ it "denies non-org users to edit" do
+ expect(foo_inc_root.can_edit_order?(order)).to be_falsy
+ end
+ end
+ end
+ describe "#can_view_order?" do
+ context "when order has not been shipped" do
+ let(:order) { orders(:acme_order) }
+ it "permits super_admin to view" do
+ expect(root.can_view_order?(order)).to be_truthy
+ end
+ it "permits acme_root to view" do
+ expect(acme_root.can_view_order?(order)).to be_truthy
+ end
+ it "permits acme_normal to view" do
+ expect(acme_normal.can_view_order?(order)).to be_truthy
+ end
+ it "denies non-org users to view" do
+ expect(foo_inc_root.can_view_order?(order)).to be_falsy
+ end
+ end
+ context "when order has been shipped" do
+ let(:order) { orders(:acme_submitted_order) }
+ it "permits super_admin to view" do
+ expect(root.can_view_order?(order)).to be_truthy
+ end
+ it "denies acme_root to view" do
+ expect(acme_root.can_view_order?(order)).to be_truthy
+ end
+ it "denies acme_normal to view" do
+ expect(acme_normal.can_view_order?(order)).to be_truthy
+ end
+ it "denies non-org users to view" do
+ expect(foo_inc_root.can_view_order?(order)).to be_falsy
+ end
+ end
+ end
+ end
end
diff --git a/spec/requests/orders_controller_request_spec.rb b/spec/requests/orders_controller_request_spec.rb
new file mode 100644
index 00000000..1da30b94
--- /dev/null
+++ b/spec/requests/orders_controller_request_spec.rb
@@ -0,0 +1,109 @@
+require "rails_helper"
+
+describe OrdersController, type: :request do
+ let(:root) { users(:root) }
+ let(:org_admin) { users(:view_check_root) }
+ let(:org_user) { users(:view_check_normal) }
+ let(:non_org_user) { users(:foo_inc_root) }
+
+ describe "#edit" do
+ context "before order has been submitted" do
+ let(:order) { orders(:view_check_unsubmitted_order) }
+ subject { get edit_order_path(order) }
+
+ context "when logged in as super_admin" do
+ before { sign_in root }
+ it "confirm order view is shown" do
+ expect(subject).to render_template("orders/status/confirm_order")
+ end
+ end
+
+ context "when logged in as order's organization admin user" do
+ before { sign_in org_admin }
+ it "confirm order view is shown" do
+ expect(subject).to render_template("orders/status/confirm_order")
+ end
+ end
+
+ context "when logged in as order's organization normal user" do
+ before { sign_in org_user }
+ it "confirm order view is shown" do
+ expect(subject).to render_template("orders/status/confirm_order")
+ end
+ end
+
+ context "when logged in as another organization user" do
+ before { sign_in non_org_user }
+ it "redirects to order show" do
+ expect(subject).to redirect_to(order_path(order))
+ end
+ end
+ end
+
+ context "after order has been submitted" do
+ let(:order) { orders(:view_check_submitted_order) }
+ subject { get edit_order_path(order) }
+
+ context "when logged in as super_admin" do
+ before { sign_in root }
+ it "edit view is shown" do
+ expect(subject).to render_template("edit")
+ end
+ end
+
+ context "when logged in as order's organization admin user" do
+ before { sign_in org_admin }
+ it "redirects to order show" do
+ expect(subject).to redirect_to(order_path(order))
+ end
+ end
+
+ context "when logged in as order's organization normal user" do
+ before { sign_in org_user }
+ it "redirects to order show" do
+ expect(subject).to redirect_to(order_path(order))
+ end
+ end
+
+ context "when logged in as another organization user" do
+ before { sign_in non_org_user }
+ it "redirects to order show" do
+ expect(subject).to redirect_to(order_path(order))
+ end
+ end
+ end
+ end
+
+ describe "#show" do
+ let(:order) { orders(:view_check_submitted_order) }
+ subject { get order_path(order) }
+
+ context "when logged in as super_admin" do
+ before { sign_in root }
+ it "show view is shown" do
+ expect(subject).to render_template("show")
+ end
+ end
+
+ context "when logged in as order's organization admin user" do
+ before { sign_in org_admin }
+ it "show view is shown" do
+ expect(subject).to render_template("show")
+ end
+ end
+
+ context "when logged in as order's organization normal user" do
+ before { sign_in org_user }
+ it "redirects to order show" do
+ expect(subject).to render_template("show")
+ end
+ end
+
+ context "when logged in as another organization user" do
+ before { sign_in non_org_user }
+ it "redirects to order show" do
+ expect(subject).to redirect_to(orders_path)
+ end
+ end
+ end
+end