Display error if editing non-current order

Users can input any order id within the orders controller routing, but we simply render the cart with the current order. This can cause some users confusion if they are expecting to edit an existing order after viewing it's receipt. So let's simply display a flash message indicating you cannot edit existing orders if the routing id does not match the current order.
solidusio · Oct 29, 2019 · 1d31f07 · 1d31f07
1 parent e3be38d
commit 1d31f07
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 1 deletion.
diff --git a/core/config/locales/en.yml b/core/config/locales/en.yml
@@ -1086,6 +1086,7 @@ en:
     cannot_create_payment_without_payment_methods_html: You cannot create a payment
       for an order without any payment methods defined. %{link}
     cannot_create_returns: Cannot create returns as this order has no shipped units.
+    cannot_edit_orders: You may only edit your current shopping cart.
     cannot_perform_operation: Cannot perform requested operation
     cannot_rebuild_shipments_order_completed: Cannot rebuild shipments for a completed
       order.

diff --git a/frontend/app/controllers/spree/orders_controller.rb b/frontend/app/controllers/spree/orders_controller.rb
@@ -8,6 +8,7 @@ class OrdersController < Spree::StoreController
 
     before_action :store_guest_token
     before_action :assign_order, only: :update
+    before_action :current_cart_redirect, only: :edit
     # note: do not lock the #edit action because that's where we redirect when we fail to acquire a lock
     around_action :lock_order, only: :update
     before_action :apply_coupon_code, only: :update
@@ -42,6 +43,10 @@ def edit
       @order = current_order || Spree::Order.incomplete.find_or_initialize_by(guest_token: cookies.signed[:guest_token])
       authorize! :read, @order, cookies.signed[:guest_token]
       associate_user
+      if params[:id] && @order.number != params[:id]
+        flash[:error] = t('spree.cannot_edit_orders')
+        redirect_to cart_path
+      end
     end
 
     # Adds a new item to the order (creating a new order if none already exists)

diff --git a/frontend/spec/controllers/spree/orders_controller_spec.rb b/frontend/spec/controllers/spree/orders_controller_spec.rb
@@ -102,6 +102,31 @@
       end
     end
 
+    context '#edit' do
+      before do
+        allow(controller).to receive :authorize!
+        allow(controller).to receive_messages current_order: order
+      end
+
+      it 'should render cart' do
+        get :edit, params: { id: order.number }
+
+        expect(flash[:error]).to be_nil
+        expect(response).to be_ok
+      end
+
+      context 'with another order number than the current_order' do
+        let(:other_order) { create(:completed_order_with_totals) }
+
+        it 'should display error message' do
+          get :edit, params: { id: other_order.number }
+
+          expect(flash[:error]).to eq "You may only edit your current shopping cart."
+          expect(response).to redirect_to cart_path
+        end
+      end
+    end
+
     context "#update" do
       context "with authorization" do
         before do

diff --git a/frontend/spec/features/checkout_confirm_insufficient_stock_spec.rb b/frontend/spec/features/checkout_confirm_insufficient_stock_spec.rb
@@ -29,8 +29,8 @@
 
         it 'redirects to cart page and shows an unavailable product message' do
           click_button "Place Order"
-          expect(page).to have_content "#{order_product.name} became unavailable"
           expect(page).to have_current_path spree.cart_path
+          expect(page).to have_content "#{order_product.name} became unavailable"
         end
       end
     end