Permalink
Browse files

[api] Only allow admins to transition shipments to ready and ship

  • Loading branch information...
1 parent 044d233 commit 05dc590f49ff31b9c81a4b8048117030049e30a8 @radar radar committed Oct 11, 2012
@@ -6,13 +6,15 @@ class ShipmentsController < BaseController
before_filter :find_and_update_shipment, :only => [:ship, :ready]
def ready
+ authorize! :read, Shipment
unless @shipment.ready?
@shipment.ready!
end
render :show
end
def ship
+ authorize! :read, Shipment
unless @shipment.shipped?
@shipment.ship!
end
@@ -23,6 +25,7 @@ def ship
def find_order
@order = Spree::Order.find_by_number!(params[:order_id])
+ authorize! :read, @order
end
def find_and_update_shipment
@@ -10,8 +10,22 @@
stub_authentication!
end
- context "working with a shipment" do
- let!(:resource_scoping) { { :order_id => shipment.order.to_param, :id => shipment.to_param } }
+ let!(:resource_scoping) { { :order_id => shipment.order.to_param, :id => shipment.to_param } }
+
+ context "as a non-admin" do
+ it "cannot make a shipment ready" do
+ api_put :ready
+ assert_unauthorized!
+ end
+
+ it "cannot make a shipment shipped" do
+ api_put :ship
+ assert_unauthorized!
+ end
+ end
+
+ context "as an admin" do
+ sign_in_as_admin!
it "can make a shipment ready" do
api_put :ready

0 comments on commit 05dc590

Please sign in to comment.