From 998befb30ff391d21909b7ccbd7bb8dbfc00e85b Mon Sep 17 00:00:00 2001
From: Brenda Wallace <brenda@wallace.net.nz>
Date: Sun, 12 Mar 2017 12:07:17 +1300
Subject: [PATCH] Limited plantings to member's own garden, and approved crops

---
 app/controllers/plantings_controller.rb       |  4 ++--
 app/models/ability.rb                         |  4 ++--
 spec/controllers/plantings_controller_spec.rb | 24 +++++++++++++++++--
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/app/controllers/plantings_controller.rb b/app/controllers/plantings_controller.rb
index 8551072ff..b1e211b08 100644
--- a/app/controllers/plantings_controller.rb
+++ b/app/controllers/plantings_controller.rb
@@ -39,8 +39,8 @@ class PlantingsController < ApplicationController
     @planting = Planting.new('planted_at' => Time.zone.today)
 
     # using find_by_id here because it returns nil, unlike find
-    @crop     = Crop.find_by(id: params[:crop_id])     || Crop.new
-    @garden   = Garden.find_by(id: params[:garden_id]) || Garden.new
+    @crop     = Crop.approved.find_by(id: params[:crop_id]) || Crop.new
+    @garden   = Garden.find_by(owner: current_member, id: params[:garden_id]) || Garden.new
 
     respond_to do |format|
       format.html # new.html.erb
diff --git a/app/models/ability.rb b/app/models/ability.rb
index d8e506b89..37f7babba 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -89,8 +89,8 @@ class Ability
     can :destroy, Garden, owner_id: member.id
 
     can :create,  Planting
-    can :update,  Planting, garden: { owner_id: member.id }
-    can :destroy, Planting, garden: { owner_id: member.id }
+    can :update,  Planting, garden: { owner_id: member.id }, crop: { approval_status: 'approved' }
+    can :destroy, Planting, garden: { owner_id: member.id }, crop: { approval_status: 'approved' }
 
     can :create,  Harvest
     can :update,  Harvest, owner_id: member.id
diff --git a/spec/controllers/plantings_controller_spec.rb b/spec/controllers/plantings_controller_spec.rb
index 21d2cd159..9a537ea56 100644
--- a/spec/controllers/plantings_controller_spec.rb
+++ b/spec/controllers/plantings_controller_spec.rb
@@ -62,13 +62,33 @@ describe PlantingsController do
       assigns(:crop).should be_a_new(Crop)
     end
 
-    it "picks up garden from params" do
-      member = FactoryGirl.create(:member)
+    it "picks up member's garden from params" do
       garden = FactoryGirl.create(:garden, owner: member)
       get :new, garden_id: garden.id
       assigns(:garden).should eq(garden)
     end
 
+    it "Doesn't display another member's garden on planting form" do
+      member = FactoryGirl.create(:member) # over-riding member from login_member()
+      garden = FactoryGirl.create(:garden, owner: member)
+      get :new, garden_id: garden.id
+      assigns(:garden).should_not eq(garden)
+    end
+
+    it "Doesn't display un-approved crops on planting form" do
+      crop = FactoryGirl.create(:crop, approval_status: 'pending')
+      garden = FactoryGirl.create(:garden, owner: member)
+      get :new, crop_id: crop.id
+      assigns(:crop).should_not eq(crop)
+    end
+
+    it "Doesn't display rejected crops on planting form" do
+      crop = FactoryGirl.create(:crop, approval_status: 'rejected', reason_for_rejection: 'nope')
+      garden = FactoryGirl.create(:garden, owner: member)
+      get :new, crop_id: crop.id
+      assigns(:crop).should_not eq(crop)
+    end
+
     it "doesn't die if no garden specified" do
       get :new, {}
       assigns(:garden).should be_a_new(Garden)