dup_spree_api 1.3.0.rc1

data/spec/controllers/spree/api/images_controller_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+module Spree
+  describe Spree::Api::ImagesController do
+    render_views
+
+    let!(:product) { create(:product) }
+    let!(:attributes) { [:id, :position, :attachment_content_type,
+                         :attachment_file_name, :type, :attachment_updated_at, :attachment_width,
+                         :attachment_height, :alt] }
+
+    before do
+      stub_authentication!
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+
+      it "can upload a new image for a variant" do
+        lambda do
+          api_post :create,
+                   :image => { :attachment => upload_image('thinking-cat.jpg'),
+                               :viewable_type => 'Spree::Variant',
+                               :viewable_id => product.master.to_param  }
+          response.status.should == 201
+          json_response.should have_attributes(attributes)
+        end.should change(Image, :count).by(1)
+      end
+
+      context "working with an existing image" do
+        let!(:product_image) { product.master.images.create!(:attachment => image('thinking-cat.jpg')) }
+
+        it "can update image data" do
+          product_image.position.should == 1
+          api_post :update, :image => { :position => 2 }, :id => product_image.id
+          response.status.should == 200
+          json_response.should have_attributes(attributes)
+          product_image.reload.position.should == 2
+        end
+
+        it "can delete an image" do
+          api_delete :destroy, :id => product_image.id
+          response.status.should == 204
+          lambda { product_image.reload }.should raise_error(ActiveRecord::RecordNotFound)
+        end
+      end
+    end
+
+    context "as a non-admin" do
+      it "cannot create an image" do
+        api_post :create
+        assert_unauthorized!
+      end
+
+      it "cannot update an image" do
+        api_put :update, :id => 1
+        assert_unauthorized!
+      end
+
+      it "cannot delete an image" do
+        api_delete :destroy, :id => 1
+        assert_unauthorized!
+      end
+    end
+  end
+end

data/spec/controllers/spree/api/line_items_controller_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::LineItemsController do
+    render_views
+
+    let!(:order) do
+     order = create(:order)
+     order.line_items << create(:line_item)
+     order
+    end
+
+    let(:product) { create(:product) }
+    let(:attributes) { [:id, :quantity, :price, :variant] }
+    let(:resource_scoping) { { :order_id => order.to_param } }
+
+    before do
+      stub_authentication!
+    end
+
+    it "can learn how to create a new line item" do
+      api_get :new
+      json_response["attributes"].should == ["quantity", "price", "variant_id"]
+      required_attributes = json_response["required_attributes"]
+      required_attributes.should include("quantity", "variant_id")
+    end
+
+    context "as the order owner" do
+      before do
+        Order.any_instance.stub :user => current_api_user
+      end
+
+      it "can add a new line item to an existing order" do
+        api_post :create, :line_item => { :variant_id => product.master.to_param, :quantity => 1 }
+        response.status.should == 201
+        json_response.should have_attributes(attributes)
+        json_response["variant"]["name"].should_not be_blank
+      end
+
+      it "can update a line item on the order" do
+        line_item = order.line_items.first
+        api_put :update, :id => line_item.id, :line_item => { :quantity => 1000 }
+        response.status.should == 200
+        json_response.should have_attributes(attributes)
+      end
+
+      it "can delete a line item on the order" do
+        line_item = order.line_items.first
+        api_delete :destroy, :id => line_item.id
+        response.status.should == 204
+        lambda { line_item.reload }.should raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
+    context "as just another user" do
+      it "cannot add a new line item to the order" do
+        api_post :create, :line_item => { :variant_id => product.master.to_param, :quantity => 1 }
+        assert_unauthorized!
+      end
+
+      it "cannot update a line item on the order" do
+        line_item = order.line_items.first
+        api_put :update, :id => line_item.id, :line_item => { :quantity => 1000 }
+        assert_unauthorized!
+        line_item.reload.quantity.should_not == 1000
+      end
+
+      it "cannot delete a line item on the order" do
+        line_item = order.line_items.first
+        api_delete :destroy, :id => line_item.id
+        assert_unauthorized!
+        lambda { line_item.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
+  end
+end

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -0,0 +1,255 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::OrdersController do
+    render_views
+
+    let!(:order) { create(:order) }
+    let(:attributes) { [:number, :item_total, :total,
+                        :state, :adjustment_total,
+                        :user_id, :created_at, :updated_at,
+                        :completed_at, :payment_total, :shipment_state,
+                        :payment_state, :email, :special_instructions] }
+
+
+    before do
+      stub_authentication!
+    end
+
+    it "cannot view all orders" do
+      api_get :index
+      assert_unauthorized!
+    end
+
+    it "can view their own order" do
+      Order.any_instance.stub :user => current_api_user
+      api_get :show, :id => order.to_param
+      response.status.should == 200
+      json_response.should have_attributes(attributes)
+    end
+
+    # Regression test for #1992
+    it "can view an order not in a standard state" do
+      Order.any_instance.stub :user => current_api_user
+      order.update_column(:state, 'shipped')
+      api_get :show, :id => order.to_param
+    end
+
+    it "can not view someone else's order" do
+      Order.any_instance.stub :user => stub_model(Spree::LegacyUser)
+      api_get :show, :id => order.to_param
+      assert_unauthorized!
+    end
+
+    it "cannot cancel an order that doesn't belong to them" do
+      order.update_attribute(:completed_at, Time.now)
+      order.update_attribute(:shipment_state, "ready")
+      api_put :cancel, :id => order.to_param
+      assert_unauthorized!
+    end
+
+    it "cannot add address information to an order that doesn't belong to them" do
+      api_put :address, :id => order.to_param
+      assert_unauthorized!
+    end
+
+    it "cannot change delivery information on an order that doesn't belong to them" do
+      api_put :delivery, :id => order.to_param
+      assert_unauthorized!
+    end
+
+    it "can create an order" do
+      variant = create(:variant)
+      api_post :create, :order => { :line_items => [{ :variant_id => variant.to_param, :quantity => 5 }] }
+      response.status.should == 201
+      order = Order.last
+      order.line_items.count.should == 1
+      order.line_items.first.variant.should == variant
+      order.line_items.first.quantity.should == 5
+      json_response["state"].should == "address"
+    end
+
+    it "can create an order without any parameters" do
+      lambda { api_post :create }.should_not raise_error(NoMethodError)
+      response.status.should == 201
+      order = Order.last
+      json_response["state"].should == "address"
+    end
+
+    context "working with an order" do
+      before do
+        Order.any_instance.stub :user => current_api_user
+        create(:payment_method)
+        order.next # Switch from cart to address
+        order.ship_address.should be_nil
+        order.state.should == "address"
+      end
+
+      def clean_address(address)
+        address.delete(:state)
+        address.delete(:country)
+        address
+      end
+
+      let(:address_params) { { :country_id => Country.first.id, :state_id => State.first.id } }
+      let(:shipping_address) { clean_address(attributes_for(:address).merge!(address_params)) }
+      let(:billing_address) { clean_address(attributes_for(:address).merge!(address_params)) }
+      let!(:shipping_method) { create(:shipping_method) }
+      let!(:payment_method) { create(:payment_method) }
+
+      it "can add address information to an order" do
+        api_put :address, :id => order.to_param, :shipping_address => shipping_address, :billing_address => billing_address
+
+        response.status.should == 200
+        order.reload
+        order.shipping_address.reload
+        order.billing_address.reload
+        # We can assume the rest of the parameters are set if these two are
+        order.shipping_address.firstname.should == shipping_address[:firstname]
+        order.billing_address.firstname.should == billing_address[:firstname]
+        order.state.should == "delivery"
+        json_response["shipping_methods"].should_not be_empty
+      end
+
+      it "can add just shipping address information to an order" do
+        api_put :address, :id => order.to_param, :shipping_address => shipping_address
+        response.status.should == 200
+        order.reload
+        order.shipping_address.reload
+        order.shipping_address.firstname.should == shipping_address[:firstname]
+        order.bill_address.should be_nil
+      end
+
+      it "cannot use an address that has no valid shipping methods" do
+        shipping_method.destroy
+        api_put :address, :id => order.to_param, :shipping_address => shipping_address, :billing_address => billing_address
+        response.status.should == 422
+        json_response["errors"]["base"].should == ["No shipping methods available for selected location, please change your address and try again."]
+      end
+
+      it "can not add invalid ship address information to an order" do
+        shipping_address[:firstname] = ""
+        api_put :address, :id => order.to_param, :shipping_address => shipping_address, :billing_address => billing_address
+
+        response.status.should == 422
+        json_response["errors"]["ship_address.firstname"].should_not be_blank
+      end
+
+      it "can not add invalid ship address information to an order" do
+        billing_address[:firstname] = ""
+        api_put :address, :id => order.to_param, :shipping_address => shipping_address, :billing_address => billing_address
+
+        response.status.should == 422
+        json_response["errors"]["bill_address.firstname"].should_not be_blank
+      end
+
+      it "can add line items" do
+        api_put :update, :id => order.to_param, :order => { :line_items => [{:variant_id => create(:variant).id, :quantity => 2}] }
+
+        response.status.should == 200
+        json_response['item_total'].to_f.should_not == order.item_total.to_f
+      end
+
+      context "with a line item" do
+        before do
+          order.line_items << create(:line_item)
+        end
+
+        context "for delivery" do
+          before do
+            order.update_attribute(:state, "delivery")
+          end
+
+          it "can select a shipping method for an order" do
+            order.shipping_method.should be_nil
+            api_put :delivery, :id => order.to_param, :shipping_method_id => shipping_method.id
+            response.status.should == 200
+            order.reload
+            order.state.should == "payment"
+            order.shipping_method.should == shipping_method
+          end
+
+          it "cannot select an invalid shipping method for an order" do
+            order.shipping_method.should be_nil
+            api_put :delivery, :id => order.to_param, :shipping_method_id => '1234567890'
+            response.status.should == 422
+            json_response["errors"].should include("Invalid shipping method specified.")
+          end
+        end
+
+        it "can empty an order" do
+          api_put :empty, :id => order.to_param
+          response.status.should == 200
+          order.reload.line_items.should be_empty
+        end
+      end
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+
+      context "with no orders" do
+        before { Spree::Order.delete_all }
+        it "still returns a root :orders key" do
+          api_get :index
+          json_response["orders"].should == []
+        end
+      end
+
+      context "with two orders" do
+        before { create(:order) }
+
+        it "can view all orders" do
+          api_get :index
+          json_response["orders"].first.should have_attributes(attributes)
+          json_response["count"].should == 2
+          json_response["current_page"].should == 1
+          json_response["pages"].should == 1
+        end
+
+        # Test for #1763
+        it "can control the page size through a parameter" do
+          api_get :index, :per_page => 1
+          json_response["orders"].count.should == 1
+          json_response["orders"].first.should have_attributes(attributes)
+          json_response["count"].should == 1
+          json_response["current_page"].should == 1
+          json_response["pages"].should == 2
+        end
+      end
+
+      context "search" do
+        before do
+          create(:order)
+          Spree::Order.last.update_attribute(:email, 'spree@spreecommerce.com')
+        end
+
+        let(:expected_result) { Spree::Order.last }
+
+        it "can query the results through a parameter" do
+          api_get :index, :q => { :email_cont => 'spree' }
+          json_response["orders"].count.should == 1
+          json_response["orders"].first.should have_attributes(attributes)
+          json_response["orders"].first["email"].should == expected_result.email
+          json_response["count"].should == 1
+          json_response["current_page"].should == 1
+          json_response["pages"].should == 1
+        end
+      end
+
+      context "can cancel an order" do
+        before do
+          order.completed_at = Time.now
+          order.state = 'complete'
+          order.shipment_state = 'ready'
+          order.save!
+        end
+
+        specify do
+          api_put :cancel, :id => order.to_param
+          json_response["state"].should == "canceled"
+        end
+      end
+    end
+  end
+end

data/spec/controllers/spree/api/payments_controller_spec.rb

@@ -0,0 +1,203 @@
+require 'spec_helper'
+
+module Spree
+  describe Spree::Api::PaymentsController do
+    render_views
+    let!(:order) { create(:order) }
+    let!(:payment) { create(:payment, :order => order) }
+    let!(:attributes) { [:id, :source_type, :source_id, :amount,
+                         :payment_method_id, :response_code, :state, :avs_response,
+                         :created_at, :updated_at] }
+
+    let(:resource_scoping) { { :order_id => order.to_param } }
+    before do
+      stub_authentication!
+    end
+
+    context "as a user" do
+      context "when the order belongs to the user" do
+        before do
+          Order.any_instance.stub :user => current_api_user
+        end
+
+        it "can view the payments for their order" do
+          api_get :index
+          json_response["payments"].first.should have_attributes(attributes)
+        end
+
+        it "can learn how to create a new payment" do
+          api_get :new
+          json_response["attributes"].should == attributes.map(&:to_s)
+          json_response["payment_methods"].should_not be_empty
+          json_response["payment_methods"].first.should have_attributes([:id, :name, :description])
+        end
+
+        it "can create a new payment" do
+          api_post :create, :payment => { :payment_method_id => PaymentMethod.first.id, :amount => 50 }
+          response.status.should == 201
+          json_response.should have_attributes(attributes)
+        end
+
+        it "can view a pre-existing payment's details" do
+          api_get :show, :id => payment.to_param
+          json_response.should have_attributes(attributes)
+        end
+
+        it "cannot authorize a payment" do
+          api_put :authorize, :id => payment.to_param
+          assert_unauthorized!
+        end
+      end
+
+      context "when the order does not belong to the user" do
+        before do
+          Order.any_instance.stub :user => stub_model(LegacyUser)
+        end
+
+        it "cannot view payments for somebody else's order" do
+          api_get :index, :order_id => order.to_param
+          assert_unauthorized!
+        end
+      end
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+
+      it "can view the payments on any order" do
+        api_get :index
+        response.status.should == 200
+        json_response["payments"].first.should have_attributes(attributes)
+      end
+
+      context "multiple payments" do
+        before { @payment = create(:payment, :order => order, :response_code => '99999') }
+
+        it "can view all payments on an order" do
+          api_get :index
+          json_response["count"].should == 2
+        end
+
+        it 'can control the page size through a parameter' do
+          api_get :index, :per_page => 1
+          json_response['count'].should == 1
+          json_response['current_page'].should == 1
+          json_response['pages'].should == 2
+        end
+
+        it 'can query the results through a paramter' do
+          api_get :index, :q => { :response_code_cont => '999' }
+          json_response['count'].should == 1
+          json_response['payments'].first['response_code'].should eq @payment.response_code
+        end
+      end
+
+      context "for a given payment" do
+
+        it "can authorize" do
+          api_put :authorize, :id => payment.to_param
+          response.status.should == 200
+          payment.reload
+          payment.state.should == "pending"
+        end
+
+        it "returns a 422 status when authorization fails" do
+          fake_response = stub(:success? => false, :to_s => "Could not authorize card")
+          Spree::Gateway::Bogus.any_instance.should_receive(:authorize).and_return(fake_response)
+          api_put :authorize, :id => payment.to_param
+          response.status.should == 422
+          json_response["error"].should == "There was a problem with the payment gateway: Could not authorize card"
+          payment.reload
+          payment.state.should == "failed"
+        end
+
+        it "can capture" do
+          api_put :capture, :id => payment.to_param
+          response.status.should == 200
+          payment.reload
+          payment.state.should == "completed"
+        end
+
+        it "returns a 422 status when purchasing fails" do
+          fake_response = stub(:success? => false, :to_s => "Insufficient funds")
+          Spree::Gateway::Bogus.any_instance.should_receive(:capture).and_return(fake_response)
+          api_put :capture, :id => payment.to_param
+          response.status.should == 422
+          json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
+
+          payment.reload
+          payment.state.should == "failed"
+        end
+
+        it "can purchase" do
+          api_put :purchase, :id => payment.to_param
+          response.status.should == 200
+          payment.reload
+          payment.state.should == "completed"
+        end
+
+        it "returns a 422 status when purchasing fails" do
+          fake_response = stub(:success? => false, :to_s => "Insufficient funds")
+          Spree::Gateway::Bogus.any_instance.should_receive(:purchase).and_return(fake_response)
+          api_put :purchase, :id => payment.to_param
+          response.status.should == 422
+          json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
+
+          payment.reload
+          payment.state.should == "failed"
+        end
+
+        it "can void" do
+          api_put :void, :id => payment.to_param
+          response.status.should == 200
+          payment.reload
+          payment.state.should == "void"
+        end
+
+        it "returns a 422 status when voiding fails" do
+          fake_response = stub(:success? => false, :to_s => "NO REFUNDS")
+          Spree::Gateway::Bogus.any_instance.should_receive(:void).and_return(fake_response)
+          api_put :void, :id => payment.to_param
+          response.status.should == 422
+          json_response["error"].should == "There was a problem with the payment gateway: NO REFUNDS"
+
+          payment.reload
+          payment.state.should == "pending"
+        end
+
+        context "crediting" do
+          before do
+            payment.purchase!
+          end
+
+          it "can credit" do
+            api_put :credit, :id => payment.to_param
+            response.status.should == 200
+            payment.reload
+            payment.state.should == "completed"
+
+            # Ensur that a credit payment was created, and it has correct credit amount
+            credit_payment = Payment.where(:source_type => 'Spree::Payment', :source_id => payment.id).last
+            credit_payment.amount.to_f.should == -45.75
+          end
+
+          it "returns a 422 status when crediting fails" do
+            fake_response = stub(:success? => false, :to_s => "NO CREDIT FOR YOU")
+            Spree::Gateway::Bogus.any_instance.should_receive(:credit).and_return(fake_response)
+            api_put :credit, :id => payment.to_param
+            response.status.should == 422
+            json_response["error"].should == "There was a problem with the payment gateway: NO CREDIT FOR YOU"
+          end
+
+          it "cannot credit over credit_allowed limit" do
+            api_put :credit, :id => payment.to_param, :amount => 1000000
+            response.status.should == 422
+            json_response["error"].should == "This payment can only be credited up to 45.75. Please specify an amount less than or equal to this number."
+          end
+        end
+      end
+
+    end
+
+  end
+end