RubyGems - solidus_api - Versions diffs - 1.0.7 → 1.1.0.beta1 - Mend

solidus_api 1.0.7 → 1.1.0.beta1

Potentially problematic release.

This version of solidus_api might be problematic. Click here for more details.

Files changed (43) hide show

data/spec/controllers/spree/api/credit_cards_controller_spec.rb CHANGED

@@ -6,16 +6,11 @@ module Spree
       render_views
       let!(:admin_user) do
-        user = Spree.user_class.new(:email => "spree@example.com", :id => 1)
-        user.generate_spree_api_key!
-        allow(user).to receive(:has_spree_role?).with('admin').and_return(true)
-        user
+        create(:admin_user)
       end
       let!(:normal_user) do
-        user = Spree.user_class.new(:email => "spree2@example.com", :id => 2)
-        user.generate_spree_api_key!
-        user
+        create(:user, :with_api_key)
       end
       let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") }
@@ -31,8 +26,7 @@ module Spree
       context "calling user is in admin role" do
         let(:current_api_user) do
-          user = admin_user
-          user
+          admin_user
         end
         it "no credit cards exist for user" do
@@ -55,8 +49,7 @@ module Spree
       context "calling user is not in admin role" do
         let(:current_api_user) do
-          user = normal_user
-          user
+          normal_user
         end
         let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") }

data/spec/controllers/spree/api/orders_controller_spec.rb CHANGED

@@ -29,49 +29,49 @@ module Spree
     describe "POST create" do
       let(:target_user) { create :user }
-      let(:date_override) { Time.parse('2015-01-01') }
-      let(:attributes) { { user_id: target_user.id, created_at: date_override, email: target_user.email } }
+      let(:date_override) { 3.days.ago }
-      subject { api_post :create, order: attributes }
+      before do
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          and_return(true)
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          with(:admin, Spree::Order).
+          and_return(can_admin)
+        allow(Spree.user_class).to receive(:find).
+          with(target_user.id).
+          and_return(target_user)
+      end
+      subject { api_post :create, order: { user_id: target_user.id, created_at: date_override, email: target_user.email } }
       context "when the current user cannot administrate the order" do
-        stub_authorization! do |_|
-          can :create, Spree::Order
-        end
+        let(:can_admin) { false }
         it "does not include unpermitted params, or allow overriding the user", focus: true do
+          expect(Spree::Core::Importer::Order).to receive(:import).
+            once.
+            with(current_api_user, { "email" => target_user.email }).
+            and_call_original
           subject
-          expect(response).to be_success
-          order = Spree::Order.last
-          expect(order.user).to eq current_api_user
-          expect(order.email).to eq target_user.email
         end
         it { is_expected.to be_success }
+      end
-        context 'creating payment' do
-          let(:attributes) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
-          context "with allowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "allowed" ) }
-            it { is_expected.to be_success }
-            it "creates a payment" do
-              expect {
-                subject
-              }.to change { Spree::Payment.count }.by(1)
-            end
-          end
+      context "when the current user can administrate the order" do
+        let(:can_admin) { true }
-          context "with disallowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "forbidden", display_on: "back_end") }
-            it { is_expected.to be_not_found }
-            it "creates no payments" do
-              expect {
-                subject
-              }.not_to change { Spree::Payment.count }
-            end
-          end
+        it "it permits all params and allows overriding the user" do
+          expect(Spree::Core::Importer::Order).to receive(:import).
+            once.
+            with(target_user, { "user_id" => target_user.id, "created_at" => date_override, "email" => target_user.email}).
+            and_call_original
+          subject
         end
+        it { is_expected.to be_success }
       end
     end
@@ -81,65 +81,41 @@ module Spree
       let(:can_admin) { false }
       subject { api_put :update, id: order.to_param, order: order_params }
-      context "when the user cannot administer the order" do
-        stub_authorization! do |_|
-          can [:update], Spree::Order
-        end
-        it "updates the user's email" do
-          expect {
-            subject
-          }.to change { order.reload.email }.to("foo@foobar.com")
-        end
-        it { is_expected.to be_success }
-        it "does not associate users" do
-          expect {
-            subject
-          }.not_to change { order.reload.user }
-        end
+      before do
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          and_return(true)
-        it "does not change forbidden attributes" do
-          expect {
-            subject
-          }.to_not change{ order.reload.number }
-        end
+        allow(Spree::Order).to receive(:find_by!).
+          with(number: order.number).
+          and_return(order)
-        context 'creating payment' do
-          let(:order_params) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
+        allow(Spree.user_class).to receive(:find).
+          with(user.id).
+          and_return(user)
-          context "with allowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "allowed" ) }
-            it { is_expected.to be_success }
-            it "creates a payment" do
-              expect {
-                subject
-              }.to change { Spree::Payment.count }.by(1)
-            end
-          end
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          with(:admin, Spree::Order).
+          and_return(can_admin)
+      end
-          context "with disallowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "forbidden", display_on: "back_end") }
-            it { is_expected.to be_not_found }
-            it "creates no payments" do
-              expect {
-                subject
-              }.not_to change { Spree::Payment.count }
-            end
-          end
-        end
+      it "updates the cart contents" do
+        expect(order.contents).to receive(:update_cart).
+          once.
+          with({"email" => "foo@foobar.com"})
+        subject
       end
+      it { is_expected.to be_success }
       context "when the user can administer the order" do
-        stub_authorization! do |_|
-          can [:admin, :update], Spree::Order
-        end
+        let(:can_admin) { true }
         it "will associate users" do
-          expect {
-            subject
-          }.to change { order.reload.user }.to(user)
+          expect(order).to receive(:associate_user!).
+            once.
+            with(user)
+          subject
         end
         it "updates the otherwise forbidden attributes" do
@@ -147,6 +123,17 @@ module Spree
             to("anothernumber")
         end
       end
+      context "when the user cannot administer the order" do
+        it "does not associate users" do
+          expect(order).to_not receive(:associate_user!)
+          subject
+        end
+        it "does not change forbidden attributes" do
+          expect{subject}.to_not change{order.reload.number}
+        end
+      end
     end
     it "cannot view all orders" do
@@ -326,10 +313,7 @@ module Spree
       after { Spree::Ability.remove_ability(::BarAbility) }
       it "can view an order" do
-        user = build(:user)
-        allow(user).to receive_message_chain(:spree_roles, :pluck).and_return(["bar"])
-        allow(user).to receive(:has_spree_role?).with('bar').and_return(true)
-        allow(user).to receive(:has_spree_role?).with('admin').and_return(false)
+        user = build(:user, spree_roles: [Spree::Role.new(name: 'bar')])
         allow(Spree.user_class).to receive_messages find_by: user
         api_get :show, :id => order.to_param
         expect(response.status).to eq(200)
@@ -368,13 +352,16 @@ module Spree
     # Regression test for #3404
     it "can specify additional parameters for a line item" do
-      expect_any_instance_of(Spree::LineItem).to receive(:special=).with("foo")
+      expect(Order).to receive(:create!).and_return(order = Spree::Order.new)
+      allow(order).to receive(:associate_user!)
+      allow(order).to receive_message_chain(:contents, :add).and_return(line_item = double('LineItem'))
+      expect(line_item).to receive(:update_attributes!).with("special" => true)
       allow(controller).to receive_messages(permitted_line_item_attributes: [:id, :variant_id, :quantity, :special])
       api_post :create, :order => {
         :line_items => {
           "0" => {
-            variant_id: variant.to_param, quantity: 5, special: "foo"
+            :variant_id => variant.to_param, :quantity => 5, :special => true
           }
         }
       }
@@ -395,10 +382,7 @@ module Spree
     end
     context "admin user imports order" do
-      before do
-        allow(current_api_user).to receive_messages has_spree_role?: true
-        allow(current_api_user).to receive_message_chain :spree_roles, pluck: ["admin"]
-      end
+      let!(:current_api_user) { create :admin_user }
       it "is able to set any default unpermitted attribute" do
         api_post :create, :order => { number: "WOW" }
@@ -410,7 +394,6 @@ module Spree
     it "can create an order without any parameters" do
       expect { api_post :create }.not_to raise_error
       expect(response.status).to eq(201)
-      order = Order.last
       expect(json_response["state"]).to eq("cart")
     end
@@ -658,19 +641,6 @@ module Spree
         end
       end
-      it "responds with orders updated_at with miliseconds precision" do
-        if ActiveRecord::Base.connection.adapter_name == "Mysql2"
-          skip "MySQL does not support millisecond timestamps."
-        else
-          skip "Probable need to make it call as_json. See https://github.com/rails/rails/commit/0f33d70e89991711ff8b3dde134a61f4a5a0ec06"
-        end
-        api_get :index
-        milisecond = order.updated_at.strftime("%L")
-        updated_at = json_response["orders"].first["updated_at"]
-        expect(updated_at.split("T").last).to have_content(milisecond)
-      end
       context "caching enabled" do
         before do
           ActionController::Base.perform_caching = true

data/spec/controllers/spree/api/payments_controller_spec.rb CHANGED

@@ -43,17 +43,6 @@ module Spree
             expect(response.status).to eq(201)
             expect(json_response).to have_attributes(attributes)
           end
-          context "disallowed payment method" do
-            it "does not create a new payment" do
-              PaymentMethod.first.update!(display_on: "back_end")
-              expect {
-                api_post :create, payment: { payment_method_id: PaymentMethod.first.id, amount: 50 }
-              }.not_to change { Spree::Payment.count }
-              expect(response.status).to eq(404)
-            end
-          end
         end
         context "payment source is required" do

data/spec/controllers/spree/api/products_controller_spec.rb CHANGED

@@ -395,13 +395,13 @@ module Spree
         # Regression test for #4123
         it "puts the created product in the given taxon" do
           api_put :update, :id => product.to_param, :product => {:taxon_ids => taxon_1.id.to_s}
-          expect(json_response["taxon_ids"]).to eq([taxon_1.id,])
+          expect(json_response["taxon_ids"]).to eq([taxon_1.id])
         end
         # Regression test for #4123
         it "puts the created product in the given taxons" do
           api_put :update, :id => product.to_param, :product => {:taxon_ids => [taxon_1.id, taxon_2.id].join(',')}
-          expect(json_response["taxon_ids"]).to eq([taxon_1.id, taxon_2.id])
+          expect(json_response["taxon_ids"]).to match_array([taxon_1.id, taxon_2.id])
         end
       end

data/spec/controllers/spree/api/resource_controller_spec.rb ADDED

@@ -0,0 +1,157 @@
+require 'spec_helper'
+module Spree
+  module Api
+    class WidgetsController < Spree::Api::ResourceController
+      prepend_view_path('spec/test_views')
+      def model_class
+        Widget
+      end
+      def permitted_widget_attributes
+        [:name]
+      end
+    end
+  end
+  describe Api::WidgetsController, type: :controller do
+    render_views
+    after(:all) do
+      Rails.application.reload_routes!
+    end
+    with_model 'Widget', scope: :all do
+      table do |t|
+        t.string :name
+        t.integer :position
+        t.timestamps null: false
+      end
+      model do
+        acts_as_list
+        validates :name, presence: true
+      end
+    end
+    before do
+      Spree::Core::Engine.routes.draw do
+        namespace :api do
+          resources :widgets
+        end
+      end
+    end
+    let(:user) { create(:user, :with_api_key) }
+    let(:admin_user) { create(:admin_user, :with_api_key) }
+    describe "#index" do
+      let!(:widget) { Widget.create!(name: "a widget") }
+      it "returns no widgets" do
+        api_get :index, token: user.spree_api_key
+        expect(response).to be_success
+        expect(json_response['widgets']).to be_blank
+      end
+      context "it has authorization to read widgets" do
+        it "returns widgets" do
+          api_get :index, token: admin_user.spree_api_key
+          expect(response).to be_success
+          expect(json_response['widgets']).to include(
+            'name' => 'a widget',
+            'position' => 1
+          )
+        end
+      end
+    end
+    describe "#show" do
+      let(:widget) { Widget.create!(name: "a widget") }
+      it "returns not found" do
+        api_get :show, id: widget.to_param, token: user.spree_api_key
+        assert_not_found!
+      end
+      context "it has authorization read widgets" do
+        it "returns widget details" do
+          api_get :show, id: widget.to_param, token: admin_user.spree_api_key
+          expect(response).to be_success
+          expect(json_response['name']).to eq 'a widget'
+        end
+      end
+    end
+    describe "#new" do
+      it "returns unauthorized" do
+        api_get :new, token: user.spree_api_key
+        expect(response).to be_unauthorized
+      end
+      context "it is allowed to view a new widget" do
+        it "can learn how to create a new widget" do
+          api_get :new, token: admin_user.spree_api_key
+          expect(response).to be_success
+          expect(json_response["attributes"]).to eq(['name'])
+        end
+      end
+    end
+    describe "#create" do
+      it "returns unauthorized" do
+        expect {
+          api_post :create, widget: { name: "a widget" }, token: user.spree_api_key
+        }.not_to change(Widget, :count)
+        expect(response).to be_unauthorized
+      end
+      context "it is authorized to create widgets" do
+        it "can create a widget" do
+          expect {
+            api_post :create, widget: { name: "a widget" }, token: admin_user.spree_api_key
+          }.to change(Widget, :count).by(1)
+          expect(response).to be_created
+          expect(json_response['name']).to eq 'a widget'
+          expect(Widget.last.name).to eq 'a widget'
+        end
+      end
+    end
+    describe "#update" do
+      let!(:widget) { Widget.create!(name: "a widget") }
+      it "returns unauthorized" do
+        api_put :update, id: widget.to_param, widget: { name: "another widget" }, token: user.spree_api_key
+        assert_not_found!
+        expect(widget.reload.name).to eq 'a widget'
+      end
+      context "it is authorized to update widgets" do
+        it "can update a widget" do
+          api_put :update, id: widget.to_param, widget: { name: "another widget" }, token: admin_user.spree_api_key
+          expect(response).to be_success
+          expect(json_response['name']).to eq 'another widget'
+          expect(widget.reload.name).to eq 'another widget'
+        end
+      end
+    end
+    describe "#destroy" do
+      let!(:widget) { Widget.create!(name: "a widget") }
+      it "returns unauthorized" do
+        api_delete :destroy, id: widget.to_param, token: user.spree_api_key
+        assert_not_found!
+        expect { widget.reload }.not_to raise_error
+      end
+      context "it is authorized to destroy widgets" do
+        it "can destroy a widget" do
+          api_delete :destroy, id: widget.to_param, token: admin_user.spree_api_key
+          expect(response.status).to eq 204
+          expect { widget.reload }.to raise_error(ActiveRecord::RecordNotFound)
+        end
+      end
+    end
+  end
+end