solidus_api 1.0.0.pre

data/app/controllers/spree/api/line_items_controller.rb

@@ -0,0 +1,74 @@
+module Spree
+  module Api
+    class LineItemsController < Spree::Api::BaseController
+      class_attribute :line_item_options
+
+      self.line_item_options = []
+
+      before_filter :load_order, only: [:create, :update, :destroy]
+      around_filter :lock_order, only: [:create, :update, :destroy]
+
+      def create
+        variant = Spree::Variant.find(params[:line_item][:variant_id])
+        @line_item = @order.contents.add(
+          variant,
+          params[:line_item][:quantity] || 1,
+          {
+            stock_location_quantities: params[:line_item][:stock_location_quantities]
+          }.merge(line_item_params[:options] || {})
+        )
+
+        if @line_item.errors.empty?
+          respond_with(@line_item, status: 201, default_template: :show)
+        else
+          invalid_resource!(@line_item)
+        end
+      end
+
+      def update
+        @line_item = find_line_item
+        if @order.contents.update_cart(line_items_attributes)
+          @line_item.reload
+          respond_with(@line_item, default_template: :show)
+        else
+          invalid_resource!(@line_item)
+        end
+      end
+
+      def destroy
+        @line_item = find_line_item
+        variant = Spree::Variant.unscoped.find(@line_item.variant_id)
+        @order.contents.remove(variant, @line_item.quantity)
+        respond_with(@line_item, status: 204)
+      end
+
+      private
+        def load_order
+          @order ||= Spree::Order.includes(:line_items).find_by!(number: order_id)
+          authorize! :update, @order, order_token
+        end
+
+        def find_line_item
+          id = params[:id].to_i
+          @order.line_items.detect { |line_item| line_item.id == id } or
+              raise ActiveRecord::RecordNotFound
+        end
+
+        def line_items_attributes
+          {line_items_attributes: {
+              id: params[:id],
+              quantity: params[:line_item][:quantity],
+              options: line_item_params[:options] || {}
+          }}
+        end
+
+        def line_item_params
+          params.require(:line_item).permit(
+              :quantity,
+              :variant_id,
+              options: line_item_options
+          )
+        end
+    end
+  end
+end

data/app/controllers/spree/api/option_types_controller.rb

@@ -0,0 +1,49 @@
+module Spree
+  module Api
+    class OptionTypesController < Spree::Api::BaseController
+      def index
+        if params[:ids]
+          @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability, :read).where(id: params[:ids].split(','))
+        else
+          @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability, :read).load.ransack(params[:q]).result
+        end
+        respond_with(@option_types)
+      end
+
+      def show
+        @option_type = Spree::OptionType.accessible_by(current_ability, :read).find(params[:id])
+        respond_with(@option_type)
+      end
+
+      def create
+        authorize! :create, Spree::OptionType
+        @option_type = Spree::OptionType.new(option_type_params)
+        if @option_type.save
+          render :show, :status => 201
+        else
+          invalid_resource!(@option_type)
+        end
+      end
+
+      def update
+        @option_type = Spree::OptionType.accessible_by(current_ability, :update).find(params[:id])
+        if @option_type.update_attributes(option_type_params)
+          render :show
+        else
+          invalid_resource!(@option_type)
+        end
+      end
+
+      def destroy
+        @option_type = Spree::OptionType.accessible_by(current_ability, :destroy).find(params[:id])
+        @option_type.destroy
+        render :text => nil, :status => 204
+      end
+
+      private
+        def option_type_params
+          params.require(:option_type).permit(permitted_option_type_attributes)
+        end
+    end
+  end
+end

data/app/controllers/spree/api/option_values_controller.rb

@@ -0,0 +1,58 @@
+module Spree
+  module Api
+    class OptionValuesController < Spree::Api::BaseController
+      def index
+        if params[:ids]
+          @option_values = scope.where(:id => params[:ids])
+        else
+          @option_values = scope.ransack(params[:q]).result
+        end
+        respond_with(@option_values)
+      end
+
+      def show
+        @option_value = scope.find(params[:id])
+        respond_with(@option_value)
+      end
+
+      def create
+        authorize! :create, Spree::OptionValue
+        @option_value = scope.new(option_value_params)
+        if @option_value.save
+          render :show, :status => 201
+        else
+          invalid_resource!(@option_value)
+        end
+      end
+
+      def update
+        @option_value = scope.accessible_by(current_ability, :update).find(params[:id])
+        if @option_value.update_attributes(option_value_params)
+          render :show
+        else
+          invalid_resource!(@option_value)
+        end
+      end
+
+      def destroy
+        @option_value = scope.accessible_by(current_ability, :destroy).find(params[:id])
+        @option_value.destroy
+        render :text => nil, :status => 204
+      end
+
+      private
+
+        def scope
+          if params[:option_type_id]
+            @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability, :read)
+          else
+            @scope ||= Spree::OptionValue.accessible_by(current_ability, :read).load
+          end
+        end
+
+        def option_value_params
+          params.require(:option_value).permit(permitted_option_value_attributes)
+        end
+    end
+  end
+end

data/app/controllers/spree/api/orders_controller.rb

@@ -0,0 +1,155 @@
+module Spree
+  module Api
+    class OrdersController < Spree::Api::BaseController
+      class_attribute :admin_shipment_attributes
+      self.admin_shipment_attributes = [:shipping_method, :stock_location, :inventory_units => [:variant_id, :sku]]
+
+      class_attribute :admin_order_attributes
+      self.admin_order_attributes = [:import, :number, :completed_at, :locked_at, :channel]
+
+      skip_before_action :check_for_user_or_api_key, only: :apply_coupon_code
+      skip_before_action :authenticate_user, only: :apply_coupon_code
+
+      before_action :find_order, except: [:create, :mine, :current, :index, :update]
+
+      before_filter :find_order, except: [:create, :mine, :current, :index]
+      around_filter :lock_order, except: [:create, :mine, :current, :index]
+
+      # Dynamically defines our stores checkout steps to ensure we check authorization on each step.
+      Order.checkout_steps.keys.each do |step|
+        define_method step do
+          authorize! :update, @order, params[:token]
+        end
+      end
+
+      def cancel
+        authorize! :update, @order, params[:token]
+        @order.cancel!
+        respond_with(@order, :default_template => :show)
+      end
+
+      def create
+        authorize! :create, Order
+        order_user = if @current_user_roles.include?('admin') && order_params[:user_id]
+          Spree.user_class.find(order_params[:user_id])
+        else
+          current_api_user
+        end
+
+        import_params = if @current_user_roles.include?("admin")
+          params[:order].present? ? params[:order].permit! : {}
+        else
+          order_params
+        end
+
+        @order = Spree::Core::Importer::Order.import(order_user, import_params)
+        respond_with(@order, default_template: :show, status: 201)
+      end
+
+      def empty
+        authorize! :update, @order, order_token
+        @order.empty!
+        render text: nil, status: 204
+      end
+
+      def index
+        authorize! :index, Order
+        @orders = Order.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+        respond_with(@orders)
+      end
+
+      def show
+        authorize! :show, @order, order_token
+        respond_with(@order)
+      end
+
+      def update
+        authorize! :update, @order, order_token
+
+        result = if request.patch?
+          # This will update the order without a checkout reset.
+          @order.update_attributes(order_params)
+        else
+          # This will reset checkout back to address and delete all shipments.
+          @order.contents.update_cart(order_params)
+        end
+
+        if result
+          user_id = params[:order][:user_id]
+          if current_api_user.has_spree_role?('admin') && user_id
+            @order.associate_user!(Spree.user_class.find(user_id))
+          end
+          respond_with(@order, default_template: :show)
+        else
+          invalid_resource!(@order)
+        end
+      end
+
+      def current
+        if current_api_user && @order = current_api_user.last_incomplete_spree_order(store: current_store)
+          respond_with(@order, default_template: :show, locals: { root_object: @order })
+        else
+          head :no_content
+        end
+      end
+
+      def mine
+        if current_api_user
+          @orders = current_api_user.orders.by_store(current_store).reverse_chronological.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+        else
+          render "spree/api/errors/unauthorized", status: :unauthorized
+        end
+      end
+
+      def apply_coupon_code
+        authorize! :update, @order, order_token
+        @order.coupon_code = params[:coupon_code]
+        @handler = PromotionHandler::Coupon.new(@order).apply
+        status = @handler.successful? ? 200 : 422
+        render "spree/api/promotions/handler", :status => status
+      end
+
+      private
+        def order_params
+          if params[:order]
+            normalize_params
+            params.require(:order).permit(permitted_order_attributes)
+          else
+            {}
+          end
+        end
+
+        def normalize_params
+          params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
+          params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
+          params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
+          params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address].present?
+          params[:order][:bill_address_attributes] = params[:order].delete(:bill_address) if params[:order][:bill_address].present?
+        end
+
+        def permitted_order_attributes
+          if is_admin?
+            super + admin_order_attributes
+          else
+            super
+          end
+        end
+
+        def permitted_shipment_attributes
+          if is_admin?
+            super + admin_shipment_attributes
+          else
+            super
+          end
+        end
+
+        def find_order(lock = false)
+          @order = Spree::Order.find_by!(number: params[:id])
+        end
+
+        def order_id
+          super || params[:id]
+        end
+    end
+  end
+end

data/app/controllers/spree/api/payments_controller.rb

@@ -0,0 +1,81 @@
+module Spree
+  module Api
+    class PaymentsController < Spree::Api::BaseController
+
+      before_filter :find_order
+      around_filter :lock_order, only: [:create, :update, :destroy, :authorize, :capture, :purchase, :void, :credit]
+      before_filter :find_payment, only: [:update, :show, :authorize, :purchase, :capture, :void, :credit]
+
+      def index
+        @payments = @order.payments.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+        respond_with(@payments)
+      end
+
+      def new
+        @payment_methods = Spree::PaymentMethod.available
+        respond_with(@payment_method)
+      end
+
+      def create
+        @payment = @order.payments.build(payment_params)
+        if @payment.save
+          respond_with(@payment, status: 201, default_template: :show)
+        else
+          invalid_resource!(@payment)
+        end
+      end
+
+      def update
+        authorize! params[:action], @payment
+        if ! @payment.pending?
+          render 'update_forbidden', status: 403
+        elsif @payment.update_attributes(payment_params)
+          respond_with(@payment, default_template: :show)
+        else
+          invalid_resource!(@payment)
+        end
+      end
+
+      def show
+        respond_with(@payment)
+      end
+
+      def authorize
+        perform_payment_action(:authorize)
+      end
+
+      def capture
+        perform_payment_action(:capture)
+      end
+
+      def purchase
+        perform_payment_action(:purchase)
+      end
+
+      def void
+        perform_payment_action(:void_transaction)
+      end
+
+      private
+
+        def find_order
+          @order = Spree::Order.find_by(number: order_id)
+          authorize! :read, @order, order_token
+        end
+
+        def find_payment
+          @payment = @order.payments.find(params[:id])
+        end
+
+        def perform_payment_action(action, *args)
+          authorize! action, Payment
+          @payment.send("#{action}!", *args)
+          respond_with(@payment, default_template: :show)
+        end
+
+        def payment_params
+          params.require(:payment).permit(permitted_payment_attributes)
+        end
+    end
+  end
+end

data/app/controllers/spree/api/product_properties_controller.rb

@@ -0,0 +1,72 @@
+module Spree
+  module Api
+    class ProductPropertiesController < Spree::Api::BaseController
+
+      before_action :find_product
+      before_action :product_property, only: [:show, :update, :destroy]
+
+      def index
+        @product_properties = @product.product_properties.accessible_by(current_ability, :read).
+                              ransack(params[:q]).result.
+                              page(params[:page]).per(params[:per_page])
+        respond_with(@product_properties)
+      end
+
+      def show
+        respond_with(@product_property)
+      end
+
+      def new
+      end
+
+      def create
+        authorize! :create, ProductProperty
+        @product_property = @product.product_properties.new(product_property_params)
+        if @product_property.save
+          respond_with(@product_property, status: 201, default_template: :show)
+        else
+          invalid_resource!(@product_property)
+        end
+      end
+
+      def update
+        if @product_property
+          authorize! :update, @product_property
+          @product_property.update_attributes(product_property_params)
+          respond_with(@product_property, status: 200, default_template: :show)
+        else
+          invalid_resource!(@product_property)
+        end
+      end
+
+      def destroy
+        if @product_property
+          authorize! :destroy, @product_property
+          @product_property.destroy
+          respond_with(@product_property, status: 204)
+        else
+          invalid_resource!(@product_property)
+        end
+      end
+
+      private
+
+        def find_product
+          @product = super(params[:product_id])
+          authorize! :read, @product
+        end
+
+        def product_property
+          if @product
+            @product_property ||= @product.product_properties.find_by(id: params[:id])
+            @product_property ||= @product.product_properties.includes(:property).where(spree_properties: { name: params[:id] }).first
+            authorize! :read, @product_property
+          end
+        end
+
+        def product_property_params
+          params.require(:product_property).permit(permitted_product_properties_attributes)
+        end
+    end
+  end
+end

data/app/controllers/spree/api/products_controller.rb

@@ -0,0 +1,129 @@
+module Spree
+  module Api
+    class ProductsController < Spree::Api::BaseController
+
+      def index
+        if params[:ids]
+          ids = params[:ids].split(",").flatten
+          @products = product_scope.where(:id => ids)
+        else
+          @products = product_scope.ransack(params[:q]).result
+        end
+
+        @products = @products.distinct.page(params[:page]).per(params[:per_page])
+        expires_in 15.minutes, :public => true
+        headers['Surrogate-Control'] = "max-age=#{15.minutes}"
+        respond_with(@products)
+      end
+
+      def show
+        @product = find_product(params[:id])
+        expires_in 15.minutes, :public => true
+        headers['Surrogate-Control'] = "max-age=#{15.minutes}"
+        headers['Surrogate-Key'] = "product_id=1"
+        respond_with(@product)
+      end
+
+      # Takes besides the products attributes either an array of variants or
+      # an array of option types.
+      #
+      # By submitting an array of variants the option types will be created
+      # using the *name* key in options hash. e.g
+      #
+      #   product: {
+      #     ...
+      #     variants: {
+      #       price: 19.99,
+      #       sku: "hey_you",
+      #       options: [
+      #         { name: "size", value: "small" },
+      #         { name: "color", value: "black" }
+      #       ]
+      #     }
+      #   }
+      #
+      # Or just pass in the option types hash:
+      #
+      #   product: {
+      #     ...
+      #     option_types: ['size', 'color']
+      #   }
+      #
+      # By passing the shipping category name you can fetch or create that
+      # shipping category on the fly. e.g.
+      #
+      #   product: {
+      #     ...
+      #     shipping_category: "Free Shipping Items"
+      #   }
+      #
+      def create
+        authorize! :create, Product
+        params[:product][:available_on] ||= Time.now
+        set_up_shipping_category
+
+        options = { variants_attrs: variants_params, options_attrs: option_types_params }
+        @product = Core::Importer::Product.new(nil, product_params, options).create
+
+        if @product.persisted?
+          respond_with(@product, :status => 201, :default_template => :show)
+        else
+          invalid_resource!(@product)
+        end
+      end
+
+      def update
+        @product = find_product(params[:id])
+        authorize! :update, @product
+
+        options = { variants_attrs: variants_params, options_attrs: option_types_params }
+        @product = Core::Importer::Product.new(@product, product_params, options).update
+
+        if @product.errors.empty?
+          respond_with(@product.reload, :status => 200, :default_template => :show)
+        else
+          invalid_resource!(@product)
+        end
+      end
+
+      def destroy
+        @product = find_product(params[:id])
+        authorize! :destroy, @product
+        @product.destroy
+        respond_with(@product, :status => 204)
+      end
+
+      private
+        def product_params
+          product_params = params.require(:product).permit(permitted_product_attributes)
+          if product_params[:taxon_ids].present?
+            product_params[:taxon_ids] = product_params[:taxon_ids].split(',')
+          end
+          product_params
+        end
+
+        def variants_params
+          variants_key = if params[:product].has_key? :variants
+            :variants
+          else
+            :variants_attributes
+          end
+
+          params.require(:product).permit(
+            variants_key => [permitted_variant_attributes, :id],
+          ).delete(variants_key) || []
+        end
+
+        def option_types_params
+          params[:product].fetch(:option_types, [])
+        end
+
+        def set_up_shipping_category
+          if shipping_category = params[:product].delete(:shipping_category)
+            id = ShippingCategory.find_or_create_by(name: shipping_category).id
+            params[:product][:shipping_category_id] = id
+          end
+        end
+    end
+  end
+end

data/app/controllers/spree/api/promotions_controller.rb

@@ -0,0 +1,26 @@
+module Spree
+  module Api
+    class PromotionsController < Spree::Api::BaseController
+      before_filter :requires_admin
+      before_filter :load_promotion
+
+      def show
+        if @promotion
+          respond_with(@promotion, default_template: :show)
+        else
+          raise ActiveRecord::RecordNotFound
+        end
+      end
+
+      private 
+        def requires_admin
+          return if @current_user_roles.include?("admin")
+          unauthorized and return
+        end
+
+        def load_promotion
+          @promotion = Spree::Promotion.find_by_id(params[:id]) || Spree::Promotion.with_coupon_code(params[:id])
+        end
+    end
+  end
+end