From 68fa903d61af207a89cec734c25ba620129a6287 Mon Sep 17 00:00:00 2001
From: Gaetan Craig-Riou <gaetan.riou@gmail.com>
Date: Wed, 18 Sep 2024 10:24:09 +1000
Subject: [PATCH] Add missing permission check on buu action

Plus request spec
---
 .../admin/products_v3_controller.rb           |  4 ++
 spec/requests/admin/products_v3_spec.rb       | 64 +++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 spec/requests/admin/products_v3_spec.rb

diff --git a/app/controllers/admin/products_v3_controller.rb b/app/controllers/admin/products_v3_controller.rb
index 24ed032dcf6..1b152773736 100644
--- a/app/controllers/admin/products_v3_controller.rb
+++ b/app/controllers/admin/products_v3_controller.rb
@@ -40,6 +40,8 @@ def destroy
         { id: params[:id] }
       ).find_product
 
+      authorize! :delete, @record
+
       @record.destroyed_by = spree_current_user
       status = :ok
 
@@ -74,6 +76,8 @@ def destroy_variant
 
     def clone
       @product = Spree::Product.find(params[:id])
+      authorize! :clone, @product
+
       status = :ok
 
       begin
diff --git a/spec/requests/admin/products_v3_spec.rb b/spec/requests/admin/products_v3_spec.rb
new file mode 100644
index 00000000000..69e5562e27b
--- /dev/null
+++ b/spec/requests/admin/products_v3_spec.rb
@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe "Admin::ProductsV3" do
+  include AuthenticationHelper
+
+  let(:user) { create(:user) }
+  let(:headers) { { Accept: "text/vnd.turbo-stream.html" } }
+  let(:product) { create(:simple_product, supplier_id: create(:supplier_enterprise).id) }
+
+  before do
+    login_as user
+  end
+
+  describe "DELETE /admin/product_v3/:id" do
+    it "checks for permission" do
+      delete(admin_product_destroy_path(product), headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+
+  describe "POST /admin/clone/:id" do
+    it "checks for permission" do
+      post(admin_clone_product_path(product), headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+
+  describe "DELETE /admin/product_v3/destroy_variant/:id" do
+    it "checks for permission" do
+      delete(admin_destroy_variant_path(product.variants.first), headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+
+  describe "POST /admin/products/bulk_update" do
+    it "checks for permission" do
+      variant = product.variants.first
+
+      params = {
+        products: {
+          '0': {
+            id: product.id,
+            name: "Updated product name",
+            variants_attributes: {
+              '0': {
+                id: variant.id,
+                display_name: "Updated variant display name",
+              }
+            }
+          }
+        }
+      }
+
+      post(admin_products_bulk_update_path, params:, headers: )
+
+      expect(response).to redirect_to('/unauthorized')
+    end
+  end
+end