Foodsoft
/
foodsoft
1
1
Fork 0
Code Issues 36 Pull Requests 5 Projects 1 Releases Wiki Activity

Fix permission issue in pickups (PR #800, #799)

This commit is contained in:
lentschi 2021-01-30 11:21:00 +01:00 committed by GitHub
parent a32319572f
commit 67ad202859
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/controllers/order_articles_controller.rb
View File

@ -1,16 +1,15 @@
class OrderArticlesController < ApplicationController class OrderArticlesController < ApplicationController
before_action :fetch_order, except: :destroy
before_action :authenticate_finance_or_orders before_action :authenticate_finance_or_invoices, except: [:new, :create]
before_action :authenticate_finance_orders_or_pickup, except: [:edit, :update, :destroy]
layout false # We only use this controller to serve js snippets, no need for layout rendering layout false # We only use this controller to serve js snippets, no need for layout rendering
def new def new
@order = Order.find(params[:order_id])
@order_article = @order.order_articles.build(params[:order_article]) @order_article = @order.order_articles.build(params[:order_article])
end end
def create def create
@order = Order.find(params[:order_id])
# The article may be ordered with zero units - in that case do not complain. # The article may be ordered with zero units - in that case do not complain.
# If order_article is ordered and a new order_article is created, an error message will be # If order_article is ordered and a new order_article is created, an error message will be
# given mentioning that the article already exists, which is desired. # given mentioning that the article already exists, which is desired.
@ -24,12 +23,10 @@ class OrderArticlesController < ApplicationController
end end
def edit def edit
@order = Order.find(params[:order_id])
@order_article = OrderArticle.find(params[:id]) @order_article = OrderArticle.find(params[:id])
end end
def update def update
@order = Order.find(params[:order_id])
@order_article = OrderArticle.find(params[:id]) @order_article = OrderArticle.find(params[:id])
begin begin
@order_article.update_article_and_price!(params[:order_article], params[:article], params[:article_price]) @order_article.update_article_and_price!(params[:order_article], params[:article], params[:article_price])
@ -50,4 +47,18 @@ class OrderArticlesController < ApplicationController
@order_article.update_results! @order_article.update_results!
end end
end end
private
def fetch_order
@order = Order.find(params[:order_id])
end
def authenticate_finance_orders_or_pickup
return if current_user.role_finance? || current_user.role_orders?
return if current_user.role_pickups? && !@order.nil? && @order.state == 'finished'
deny_access
end
end end

6
app/controllers/orders_controller.rb
View File

@ -134,7 +134,13 @@ class OrdersController < ApplicationController
else else
s = update_order_amounts s = update_order_amounts
flash[:notice] = (s ? I18n.t('orders.receive.notice', :msg => s) : I18n.t('orders.receive.notice_none')) flash[:notice] = (s ? I18n.t('orders.receive.notice', :msg => s) : I18n.t('orders.receive.notice_none'))
if current_user.role_orders? || current_user.role_finance?
redirect_to @order redirect_to @order
elsif current_user.role_pickup?
redirect_to pickups_path
else
redirect_to receive_order_path(@order)
end
end end
end end

1
app/views/orders/_edit_amount.html.haml
View File

@ -26,4 +26,5 @@
/ TODO add almost invisible text_field for entering single units / TODO add almost invisible text_field for entering single units
%td.units_delta %td.units_delta
%td %td
- if current_user.role_orders? || current_user.role_finance?
= link_to t('ui.edit'), edit_order_order_article_path(order_article.order, order_article, without_units: true), remote: true, class: 'btn btn-small' = link_to t('ui.edit'), edit_order_order_article_path(order_article.order, order_article, without_units: true), remote: true, class: 'btn btn-small'