Skip to content

Commit

Permalink
Merge pull request #3391 from JDutil/fixes-2078
Browse files Browse the repository at this point in the history
Display error if editing non-current order
  • Loading branch information
kennyadsl authored Nov 7, 2019
2 parents 99e2cf7 + bd1af63 commit a58e7f8
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 0 deletions.
1 change: 1 addition & 0 deletions core/config/locales/en.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1086,6 +1086,7 @@ en:
cannot_create_payment_without_payment_methods_html: You cannot create a payment
for an order without any payment methods defined. %{link}
cannot_create_returns: Cannot create returns as this order has no shipped units.
cannot_edit_orders: You may only edit your current shopping cart.
cannot_perform_operation: Cannot perform requested operation
cannot_rebuild_shipments_order_completed: Cannot rebuild shipments for a completed
order.
Expand Down
4 changes: 4 additions & 0 deletions frontend/app/controllers/spree/orders_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ def edit
@order = current_order || Spree::Order.incomplete.find_or_initialize_by(guest_token: cookies.signed[:guest_token])
authorize! :read, @order, cookies.signed[:guest_token]
associate_user
if params[:id] && @order.number != params[:id]
flash[:error] = t('spree.cannot_edit_orders')
redirect_to cart_path
end
end

# Adds a new item to the order (creating a new order if none already exists)
Expand Down
25 changes: 25 additions & 0 deletions frontend/spec/controllers/spree/orders_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,31 @@
end
end

context '#edit' do
before do
allow(controller).to receive :authorize!
allow(controller).to receive_messages current_order: order
end

it 'should render cart' do
get :edit, params: { id: order.number }

expect(flash[:error]).to be_nil
expect(response).to be_ok
end

context 'with another order number than the current_order' do
let(:other_order) { create(:completed_order_with_totals) }

it 'should display error message' do
get :edit, params: { id: other_order.number }

expect(flash[:error]).to eq "You may only edit your current shopping cart."
expect(response).to redirect_to cart_path
end
end
end

context "#update" do
context "with authorization" do
before do
Expand Down

0 comments on commit a58e7f8

Please sign in to comment.