solidus_api 1.0.0.pre2 → 1.0.0.pre3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3552a542c49a1c8586fe3765f8e477a4d267a8d8
-  data.tar.gz: 31fb98454ac818493d461e32d2a2a5357d3bdb14
+  metadata.gz: cc84533efe45262ccaba47a9b25f28945ee08dcc
+  data.tar.gz: ce8a1e2811b9e94a69f0f91b9d381add04438543
 SHA512:
-  metadata.gz: 06ed20f3ea44a9015f32606e3192f4a8591568665c6211ea642e145437d751aa0ddc65ff720a4ffa8444f5105de0a4f92b8ae68331428676ac5c4373f7e87550
-  data.tar.gz: fa71e4ecc89775eda5afcb323faa90efcdccf9fa08e91ab2b67cbe05bb833c7ede57f714373cef706b299a9db377b6b8e623edb70293d37fa3f563eec8db1299
+  metadata.gz: 4249505d8a2bcbaa5e14d799ca5d6b2d273e97c17e336eaa7c1d36ea0de088565d7508499405633b713b394f90573ad0996b00fb3ff0a9e730f6cbc6a75761cf
+  data.tar.gz: 4dfbe553d6a0fea7ef9434159fab80dfb0f689e56d49fec6f5da67890e3d229b15ebb66519d84ca0056c86cd3991a06729917ce65cbc682a5bc1d665b2f2e3b6

data/app/controllers/spree/api/base_controller.rb

@@ -42,23 +42,17 @@ module Spree
         end.with_indifferent_access
       end
 
+      private
+
       # users should be able to set price when importing orders via api
       def permitted_line_item_attributes
-        if is_admin?
+        if can?(:admin, Spree::LineItem)
           super + admin_line_item_attributes
         else
           super
         end
       end
 
-      protected
-
-      def is_admin?
-        current_api_user && current_api_user.has_spree_role?("admin")
-      end
-
-      private
-
       def set_content_type
         content_type = case params[:format]
         when "json"
@@ -148,7 +142,7 @@ module Spree
       end
 
       def product_scope
-        if is_admin?
+        if can?(:admin, Spree::Product)
           scope = Product.with_deleted.accessible_by(current_ability, :read).includes(*product_includes)
 
           unless params[:show_deleted]

data/app/controllers/spree/api/checkouts_controller.rb

@@ -52,7 +52,7 @@ module Spree
         authorize! :update, @order, order_token
 
         if @order.update_from_params(params, permitted_checkout_attributes, request.headers.env)
-          if current_api_user.has_spree_role?('admin') && user_id.present?
+          if can?(:admin, @order) && user_id.present?
             @order.associate_user!(Spree.user_class.find(user_id))
           end
 

data/app/controllers/spree/api/countries_controller.rb

@@ -1,7 +1,6 @@
 module Spree
   module Api
     class CountriesController < Spree::Api::BaseController
-      skip_before_action :check_for_user_or_api_key
       skip_before_action :authenticate_user
 
       def index

data/app/controllers/spree/api/credit_cards_controller.rb

@@ -1,7 +1,8 @@
 module Spree
   module Api
     class CreditCardsController < Spree::Api::BaseController
-      before_action :user
+      before_action :user, only: [:index]
+      before_action :find_credit_card, only: [:update]
 
       def index
         @credit_cards = user
@@ -12,6 +13,14 @@ module Spree
         respond_with(@credit_cards)
       end
 
+      def update
+        if @credit_card.update_attributes(credit_card_update_params)
+          respond_with(@credit_card, default_template: :show)
+        else
+          invalid_resource!(@credit_card)
+        end
+      end
+
       private
 
         def user
@@ -20,6 +29,14 @@ module Spree
           end
         end
 
+        def find_credit_card
+          @credit_card = Spree::CreditCard.find(params[:id])
+          authorize! :update, @credit_card
+        end
+
+        def credit_card_update_params
+          params.require(:credit_card).permit(permitted_credit_card_update_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/orders_controller.rb

@@ -5,14 +5,11 @@ module Spree
       self.admin_shipment_attributes = [:shipping_method, :stock_location, :inventory_units => [:variant_id, :sku]]
 
       class_attribute :admin_order_attributes
-      self.admin_order_attributes = [:import, :number, :completed_at, :locked_at, :channel]
+      self.admin_order_attributes = [:import, :number, :completed_at, :locked_at, :channel, :user_id]
 
-      skip_before_action :check_for_user_or_api_key, only: :apply_coupon_code
       skip_before_action :authenticate_user, only: :apply_coupon_code
 
-      before_action :find_order, except: [:create, :mine, :current, :index, :update]
-
-      before_filter :find_order, except: [:create, :mine, :current, :index]
+      before_action :find_order, except: [:create, :mine, :current, :index]
       around_filter :lock_order, except: [:create, :mine, :current, :index]
 
       # Dynamically defines our stores checkout steps to ensure we check authorization on each step.
@@ -30,13 +27,14 @@ module Spree
 
       def create
         authorize! :create, Order
-        order_user = if @current_user_roles.include?('admin') && order_params[:user_id]
+
+        order_user = if order_params[:user_id]
           Spree.user_class.find(order_params[:user_id])
         else
           current_api_user
         end
 
-        import_params = if @current_user_roles.include?("admin")
+        import_params = if can?(:admin, Spree::Order)
           params[:order].present? ? params[:order].permit! : {}
         else
           order_params
@@ -66,17 +64,9 @@ module Spree
       def update
         authorize! :update, @order, order_token
 
-        result = if request.patch?
-          # This will update the order without a checkout reset.
-          @order.update_attributes(order_params)
-        else
-          # This will reset checkout back to address and delete all shipments.
-          @order.contents.update_cart(order_params)
-        end
-
-        if result
+        if @order.contents.update_cart(order_params)
           user_id = params[:order][:user_id]
-          if current_api_user.has_spree_role?('admin') && user_id
+          if can?(:admin, @order) && user_id
             @order.associate_user!(Spree.user_class.find(user_id))
           end
           respond_with(@order, default_template: :show)
@@ -110,46 +100,43 @@ module Spree
       end
 
       private
-        def order_params
-          if params[:order]
-            normalize_params
-            params.require(:order).permit(permitted_order_attributes)
-          else
-            {}
-          end
-        end
 
-        def normalize_params
-          params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
-          params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
-          params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
-          params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address].present?
-          params[:order][:bill_address_attributes] = params[:order].delete(:bill_address) if params[:order][:bill_address].present?
+      def order_params
+        if params[:order]
+          normalize_params
+          params.require(:order).permit(permitted_order_attributes)
+        else
+          {}
         end
+      end
 
-        def permitted_order_attributes
-          if is_admin?
-            super + admin_order_attributes
-          else
-            super
-          end
-        end
+      def normalize_params
+        params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
+        params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
+        params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
+        params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address].present?
+        params[:order][:bill_address_attributes] = params[:order].delete(:bill_address) if params[:order][:bill_address].present?
+      end
 
-        def permitted_shipment_attributes
-          if is_admin?
-            super + admin_shipment_attributes
-          else
-            super
-          end
-        end
+      def permitted_order_attributes
+        can?(:admin, Spree::Order) ? (super + admin_order_attributes) : super
+      end
 
-        def find_order(lock = false)
-          @order = Spree::Order.find_by!(number: params[:id])
+      def permitted_shipment_attributes
+        if can?(:admin, Spree::Shipment)
+          super + admin_shipment_attributes
+        else
+          super
         end
+      end
 
-        def order_id
-          super || params[:id]
-        end
+      def find_order(lock = false)
+        @order = Spree::Order.find_by!(number: params[:id])
+      end
+
+      def order_id
+        super || params[:id]
+      end
     end
   end
 end

data/app/controllers/spree/api/states_controller.rb

@@ -1,8 +1,6 @@
 module Spree
   module Api
     class StatesController < Spree::Api::BaseController
-      skip_before_action :set_expiry
-      skip_before_action :check_for_user_or_api_key
       skip_before_action :authenticate_user
 
       def index

data/app/views/spree/api/credit_cards/show.v1.rabl

@@ -1,3 +1,7 @@
 object @credit_card
 cache [I18n.locale, root_object]
 attributes *creditcard_attributes
+
+child :address do
+  extends "spree/api/addresses/show"
+end

data/app/views/spree/api/taxonomies/show.v1.rabl

@@ -1,7 +1,7 @@
 object @taxonomy
 
-if set = params[:set]
-  extends "spree/api/taxonomies/#{set}"
+if params[:set] == 'nested'
+  extends "spree/api/taxonomies/nested"
 else
   attributes *taxonomy_attributes
 

data/config/routes.rb

@@ -108,6 +108,8 @@ Spree::Core::Engine.add_routes do
       resources :credit_cards, only: [:index]
     end
 
+    resources :credit_cards, only: [:update]
+
     resources :properties
     resources :stock_locations do
       resources :stock_movements

data/spec/controllers/spree/api/checkouts_controller_spec.rb

@@ -308,7 +308,13 @@ module Spree
       context "#{action}" do
         context "with order in confirm state" do
           subject do
-            api_put action, params
+            if action == :next
+              ActiveSupport::Deprecation.silence do
+                api_put action, params
+              end
+            else
+              api_put action, params
+            end
           end
 
           let(:params) { {id: order.to_param, order_token: order.guest_token} }
@@ -316,10 +322,6 @@ module Spree
 
           before do
             order.update_column(:state, "confirm")
-
-            if action == :next
-              #ActiveSupport::Deprecation.should_receive(:warn).once
-            end
           end
 
           it "can transition from confirm to complete" do

data/spec/controllers/spree/api/credit_cards_controller_spec.rb

@@ -2,78 +2,110 @@ require 'spec_helper'
 
 module Spree
   describe Api::CreditCardsController, :type => :controller do
-    render_views
+    describe '#index' do
+      render_views
 
-    let!(:admin_user) do
-      user = Spree.user_class.new(:email => "spree@example.com", :id => 1)
-      user.generate_spree_api_key!
-      allow(user).to receive(:has_spree_role?).with('admin').and_return(true)
-      user
-    end
-
-    let!(:normal_user) do
-      user = Spree.user_class.new(:email => "spree2@example.com", :id => 2)
-      user.generate_spree_api_key!
-      user
-    end
+      let!(:admin_user) do
+        user = Spree.user_class.new(:email => "spree@example.com", :id => 1)
+        user.generate_spree_api_key!
+        allow(user).to receive(:has_spree_role?).with('admin').and_return(true)
+        user
+      end
 
-    let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") }
+      let!(:normal_user) do
+        user = Spree.user_class.new(:email => "spree2@example.com", :id => 2)
+        user.generate_spree_api_key!
+        user
+      end
 
-    before do
-      stub_authentication!
-    end
+      let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") }
 
-    it "the user id doesn't exist" do
-      api_get :index, user_id: 1000
-      expect(response.status).to eq(404)
-    end
+      before do
+        stub_authentication!
+      end
 
-    context "calling user is in admin role" do
-      let(:current_api_user) do
-        user = admin_user
-        user
+      it "the user id doesn't exist" do
+        api_get :index, user_id: 1000
+        expect(response.status).to eq(404)
       end
 
-      it "no credit cards exist for user" do
-        api_get :index, user_id: normal_user.id
+      context "calling user is in admin role" do
+        let(:current_api_user) do
+          user = admin_user
+          user
+        end
 
-        expect(response.status).to eq(200)
-        expect(json_response["pages"]).to eq(0)
+        it "no credit cards exist for user" do
+          api_get :index, user_id: normal_user.id
+
+          expect(response.status).to eq(200)
+          expect(json_response["pages"]).to eq(0)
+        end
+
+        it "can view all credit cards for user" do
+          api_get :index, user_id: current_api_user.id
+
+          expect(response.status).to eq(200)
+          expect(json_response["pages"]).to eq(1)
+          expect(json_response["current_page"]).to eq(1)
+          expect(json_response["credit_cards"].length).to eq(1)
+          expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        end
       end
 
-      it "can view all credit cards for user" do
-        api_get :index, user_id: current_api_user.id
+      context "calling user is not in admin role" do
+        let(:current_api_user) do
+          user = normal_user
+          user
+        end
+
+        let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") }
+
+        it "can not view user" do
+          api_get :index, user_id: admin_user.id
+
+          expect(response.status).to eq(404)
+        end
 
-        expect(response.status).to eq(200)
-        expect(json_response["pages"]).to eq(1)
-        expect(json_response["current_page"]).to eq(1)
-        expect(json_response["credit_cards"].length).to eq(1)
-        expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        it "can view own credit cards" do
+          api_get :index, user_id: normal_user.id
+
+          expect(response.status).to eq(200)
+          expect(json_response["pages"]).to eq(1)
+          expect(json_response["current_page"]).to eq(1)
+          expect(json_response["credit_cards"].length).to eq(1)
+          expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        end
       end
     end
 
-    context "calling user is not in admin role" do
-      let(:current_api_user) do
-        user = normal_user
-        user
-      end
+    describe '#update' do
+      let(:credit_card) { create(:credit_card, name: 'Joe Shmoe', user: credit_card_user) }
+      let(:credit_card_user) { create(:user) }
 
-      let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") }
+      before do
+        stub_authentication!
+      end
 
-      it "can not view user" do
-        api_get :index, user_id: admin_user.id
+      context 'when the user is authorized' do
+        let(:current_api_user) { credit_card_user }
 
-        expect(response.status).to eq(404)
+        it 'updates the credit card' do
+          expect {
+            api_put :update, id: credit_card.to_param, credit_card: {name: 'Jordan Brough'}
+          }.to change {
+            credit_card.reload.name
+          }.from('Joe Shmoe').to('Jordan Brough')
+        end
       end
 
-      it "can view own credit cards" do
-        api_get :index, user_id: normal_user.id
+      context 'when the user is not authorized' do
+        let(:current_api_user) { create(:user) }
 
-        expect(response.status).to eq(200)
-        expect(json_response["pages"]).to eq(1)
-        expect(json_response["current_page"]).to eq(1)
-        expect(json_response["credit_cards"].length).to eq(1)
-        expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        it 'rejects the request' do
+          api_put :update, id: credit_card.to_param, credit_card: {name: 'Jordan Brough'}
+          expect(response.status).to eq(401)
+        end
       end
     end
   end

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -27,25 +27,110 @@ module Spree
       stub_authentication!
     end
 
-    describe 'PATCH #update' do
-      subject { api_patch :update, id: order.to_param, order: { email: "foo@bar.com" } }
+    describe "POST create" do
+      let(:target_user) { create :user }
+      let(:date_override) { 3.days.ago }
 
       before do
-        allow_any_instance_of(Spree::Order).to receive_messages :user => current_api_user
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          and_return(true)
+
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          with(:admin, Spree::Order).
+          and_return(can_admin)
+
+        allow(Spree.user_class).to receive(:find).
+          with(target_user.id).
+          and_return(target_user)
       end
 
-      it 'should be ok' do
-        expect(subject).to be_ok
+      subject { api_post :create, order: { user_id: target_user.id, created_at: date_override, email: target_user.email } }
+
+      context "when the current user cannot administrate the order" do
+        let(:can_admin) { false }
+
+        it "does not include unpermitted params, or allow overriding the user", focus: true do
+          expect(Spree::Core::Importer::Order).to receive(:import).
+            once.
+            with(current_api_user, { "email" => target_user.email })
+          subject
+        end
+
+        it { should be_success }
       end
 
-      it 'should not invoke OrderContents#update_cart' do
-        expect_any_instance_of(Spree::OrderContents).to_not receive(:update_cart)
-        subject
+      context "when the current user can administrate the order" do
+        let(:can_admin) { true }
+
+        it "it permits all params and allows overriding the user" do
+          expect(Spree::Core::Importer::Order).to receive(:import).
+            once.
+            with(target_user, { "user_id" => target_user.id, "created_at" => date_override, "email" => target_user.email})
+          subject
+        end
+
+        it { should be_success }
       end
+    end
 
-      it 'should update the email' do
+    describe "PUT update" do
+      let(:user) { create :user }
+      let(:order_params) { { number: "anothernumber", user_id: user.id, email: "foo@foobar.com" } }
+      let(:can_admin) { false }
+      subject { api_put :update, id: order.to_param, order: order_params }
+
+      before do
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          and_return(true)
+
+        allow(Spree::Order).to receive(:find_by!).
+          with(number: order.number).
+          and_return(order)
+
+        allow(Spree.user_class).to receive(:find).
+          with(user.id).
+          and_return(user)
+
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          with(:admin, Spree::Order).
+          and_return(can_admin)
+      end
+
+      it "updates the cart contents" do
+        expect(order.contents).to receive(:update_cart).
+          once.
+          with({"email" => "foo@foobar.com"})
         subject
-        expect(order.reload.email).to eq('foo@bar.com')
+      end
+
+      it { should be_success }
+
+      context "when the user can administer the order" do
+        let(:can_admin) { true }
+
+        it "will associate users" do
+          expect(order).to receive(:associate_user!).
+            once.
+            with(user)
+
+          subject
+        end
+
+        it "updates the otherwise forbidden attributes" do
+          expect{subject}.to change{order.reload.number}.
+            to("anothernumber")
+        end
+      end
+
+      context "when the user cannot administer the order" do
+        it "does not associate users" do
+          expect(order).to_not receive(:associate_user!)
+          subject
+        end
+
+        it "does not change forbidden attributes" do
+          expect{subject}.to_not change{order.reload.number}
+        end
       end
     end
 
@@ -174,6 +259,20 @@ module Spree
           expect(shipment['adjustments'][0]['label']).to eq(adjustment.label)
         end
       end
+
+      context 'when credit cards are present' do
+        let!(:payment) { create(:credit_card_payment, order: order, source: credit_card) }
+        let(:credit_card) { create(:credit_card, address: create(:address)) }
+
+        it 'contains the credit cards' do
+          subject
+
+          credit_cards = json_response['credit_cards']
+          expect(credit_cards.size).to eq 1
+          expect(credit_cards[0]['id']).to eq payment.source.id
+          expect(credit_cards[0]['address']['id']).to eq credit_card.address_id
+        end
+      end
     end
 
     it "orders contain the basic checkout steps" do
@@ -240,7 +339,7 @@ module Spree
 
       expect(json_response['number']).to be_present
       expect(json_response["token"]).not_to be_blank
-      expect(json_response["state"]).to eq("address")
+      expect(json_response["state"]).to eq("cart")
       expect(order.user).to eq(current_api_user)
       expect(order.email).to eq(current_api_user.email)
       expect(json_response["user_id"]).to eq(current_api_user.id)
@@ -320,16 +419,6 @@ module Spree
 
       before { allow_any_instance_of(Order).to receive_messages user: current_api_user }
 
-      context "line_items hash not present in request" do
-        it "responds successfully" do
-          api_put :update, :id => order.to_param, :order => {
-            :email => "hublock@spreecommerce.com"
-          }
-
-          expect(response).to be_success
-        end
-      end
-
       it "updates quantities of existing line items" do
         api_put :update, :id => order.to_param, :order => {
           :line_items => {
@@ -500,6 +589,7 @@ module Spree
           end
 
           before do
+            order.next!
             order.next!
             order.save
           end

data/spec/features/checkout_spec.rb

@@ -5,6 +5,7 @@ module Spree
     before { Spree::Api::Config[:requires_authentication] = false }
     let!(:promotion) { FactoryGirl.create(:promotion, :with_order_adjustment, code: 'foo', weighted_order_adjustment_amount: 10) }
     let(:promotion_code) { promotion.codes.first }
+    let!(:store) { FactoryGirl.create(:store) }
     let(:bill_address) { FactoryGirl.create(:address) }
     let(:ship_address) { FactoryGirl.create(:address) }
     let(:variant_1) { FactoryGirl.create(:variant, price: 100.00) }

data/spec/support/controller_hacks.rb

@@ -19,10 +19,6 @@ module ControllerHacks
     api_process(action, params, session, flash, "PUT")
   end
 
-  def api_patch(action, params={}, session=nil, flash=nil)
-    api_process(action, params, session, flash, "PATCH")
-  end
-
   def api_delete(action, params={}, session=nil, flash=nil)
     api_process(action, params, session, flash, "DELETE")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_api
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre2
+  version: 1.0.0.pre3
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-20 00:00:00.000000000 Z
+date: 2015-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.0.pre2
+        version: 1.0.0.pre3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.0.pre2
+        version: 1.0.0.pre3
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement