LPD-16000 Make sure to check supplier order

dsitu · brianchandotcom · commit 53401963f02f · 2024-02-08T09:10:35.000+01:00
diff --git a/modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/security/permission/resource/CommerceOrderModelResourcePermissionLogic.java b/modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/security/permission/resource/CommerceOrderModelResourcePermissionLogic.java
@@ -14,6 +14,7 @@
 import com.liferay.commerce.model.CommerceOrder;
 import com.liferay.commerce.product.model.CommerceChannel;
 import com.liferay.commerce.product.service.CommerceChannelLocalService;
+import com.liferay.commerce.service.CommerceOrderLocalService;
 import com.liferay.petra.string.StringPool;
 import com.liferay.portal.configuration.module.configuration.ConfigurationProvider;
 import com.liferay.portal.kernel.dao.orm.QueryUtil;
@@ -41,6 +42,7 @@ public class CommerceOrderModelResourcePermissionLogic
 	public CommerceOrderModelResourcePermissionLogic(
 		AccountEntryLocalService accountEntryLocalService,
 		CommerceChannelLocalService commerceChannelLocalService,
+		CommerceOrderLocalService commerceOrderLocalService,
 		ConfigurationProvider configurationProvider,
 		GroupLocalService groupLocalService,
 		PortletResourcePermission portletResourcePermission,
@@ -49,6 +51,7 @@ public CommerceOrderModelResourcePermissionLogic(
 
 		_accountEntryLocalService = accountEntryLocalService;
 		_commerceChannelLocalService = commerceChannelLocalService;
+		_commerceOrderLocalService = commerceOrderLocalService;
 		_configurationProvider = configurationProvider;
 		_groupLocalService = groupLocalService;
 		_portletResourcePermission = portletResourcePermission;
@@ -476,23 +479,17 @@ private boolean _hasRoleAccountSupplier(
 			PermissionChecker permissionChecker, CommerceOrder commerceOrder)
 		throws PortalException {
 
-		CommerceChannel commerceChannel =
-			_commerceChannelLocalService.fetchCommerceChannelByGroupClassPK(
-				commerceOrder.getGroupId());
-
-		if ((commerceChannel != null) &&
-			(commerceChannel.getAccountEntryId() == 0)) {
-
-			return false;
-		}
-
 		List<AccountEntry> accountEntries =
 			_accountEntryLocalService.getUserAccountEntries(
 				permissionChecker.getUserId(), 0L, StringPool.BLANK,
 				new String[] {AccountConstants.ACCOUNT_ENTRY_TYPE_SUPPLIER},
 				QueryUtil.ALL_POS, QueryUtil.ALL_POS);
 
 		for (AccountEntry accountEntry : accountEntries) {
+			CommerceChannel commerceChannel =
+				_commerceChannelLocalService.fetchCommerceChannelByGroupClassPK(
+					commerceOrder.getGroupId());
+
 			if ((accountEntry.getAccountEntryId() ==
 					commerceChannel.getAccountEntryId()) &&
 				_userGroupRoleLocalService.hasUserGroupRole(
@@ -502,13 +499,37 @@ private boolean _hasRoleAccountSupplier(
 
 				return true;
 			}
+
+			for (long commerceOrderIds :
+					commerceOrder.getSupplierCommerceOrderIds()) {
+
+				CommerceOrder supplierCommerceOrder =
+					_commerceOrderLocalService.getCommerceOrder(
+						commerceOrderIds);
+
+				commerceChannel =
+					_commerceChannelLocalService.
+						fetchCommerceChannelByGroupClassPK(
+							supplierCommerceOrder.getGroupId());
+
+				if ((accountEntry.getAccountEntryId() ==
+						commerceChannel.getAccountEntryId()) &&
+					_userGroupRoleLocalService.hasUserGroupRole(
+						permissionChecker.getUserId(),
+						accountEntry.getAccountEntryGroupId(),
+						AccountRoleConstants.ROLE_NAME_ACCOUNT_SUPPLIER)) {
+
+					return true;
+				}
+			}
 		}
 
 		return false;
 	}
 
 	private final AccountEntryLocalService _accountEntryLocalService;
 	private final CommerceChannelLocalService _commerceChannelLocalService;
+	private final CommerceOrderLocalService _commerceOrderLocalService;
 	private final ConfigurationProvider _configurationProvider;
 	private final GroupLocalService _groupLocalService;
 	private final PortletResourcePermission _portletResourcePermission;
diff --git a/modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/security/permission/resource/CommerceOrderModelResourcePermissionWrapper.java b/modules/apps/commerce/commerce-service/src/main/java/com/liferay/commerce/internal/security/permission/resource/CommerceOrderModelResourcePermissionWrapper.java
@@ -49,8 +49,9 @@ public class CommerceOrderModelResourcePermissionWrapper
 				consumer.accept(
 					new CommerceOrderModelResourcePermissionLogic(
 						_accountEntryLocalService, _commerceChannelLocalService,
-						_configurationProvider, _groupLocalService,
-						_portletResourcePermission, _userGroupRoleLocalService,
+						_commerceOrderLocalService, _configurationProvider,
+						_groupLocalService, _portletResourcePermission,
+						_userGroupRoleLocalService,
 						_workflowDefinitionLinkLocalService));
 			});
 	}
