solidus_api 1.1.4 → 1.2.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d2c2d5dcacdd54bff2af4a9f0c95267b946ef5ca
-  data.tar.gz: d408a4edde689abcf77a6d0c1997ae15134f7a37
+  metadata.gz: 0541b475d9a7c6163816b932d0e24098d63668c9
+  data.tar.gz: e238a5d6173dc3e22758fad5d9ae7ff72bf27c1d
 SHA512:
-  metadata.gz: 1be4bc3ad33669bd7ded7960bc68b2444230ced8dc3998f53a7344663a8c360a16c710a189ccf2544b05be5ddf96ea72f26fb5dc0edf39f4749164fa6fe2a27a
-  data.tar.gz: 9f0ec8af96cb1f98d4adf442cb5984ca66226b2bb604ab552f7d525a3c055abb6e2e9daf080fdaefd7b6e62d02f81642b41baeee056b847285c874379dbf86cb
+  metadata.gz: e6806e2569df73fea2bdababe36912878beaef9962483c42a59b093f021444556b42aba5b58e10bc2afa11a1bd880b58432cd810dbb9c693f62efabcd246190e
+  data.tar.gz: 448e5fb1b8ddeb83dd49bbd0bc2f8588f1665ae3fcdf89e4f4a3b671f2a3de2e5abc8e01c8e6aa1362e6c5c6323a142763fd2a2a4c9741c9b0f69a5909a13ff9

data/app/controllers/spree/api/base_controller.rb

@@ -151,7 +151,7 @@ module Spree
       end
 
       def lock_order
-        Spree::OrderMutex.with_lock!(@order) { yield }
+        OrderMutex.with_lock!(@order) { yield }
       rescue Spree::OrderMutex::LockFailed => e
         render text: e.message, status: 409
       end

data/app/controllers/spree/api/checkouts_controller.rb

@@ -56,14 +56,7 @@ module Spree
       def update
         authorize! :update, @order, order_token
 
-        update_params = if params[:payment_source].present?
-          ActiveSupport::Deprecation.warn("Passing payment_source is deprecated. Send source parameters inside payments_attributes[:source_attributes].", caller)
-          move_payment_source_into_payments_attributes(params)
-        else
-          params
-        end
-
-        if @order.update_from_params(update_params, permitted_checkout_attributes, request.headers.env)
+        if OrderUpdateAttributes.new(@order, update_params, request_env: request.headers.env).apply
           if can?(:admin, @order) && user_id.present?
             @order.associate_user!(Spree.user_class.find(user_id))
           end
@@ -87,6 +80,33 @@ module Spree
           params[:order][:user_id] if params[:order]
         end
 
+        def update_params
+          if update_params = massaged_params[:order]
+            update_params.permit(permitted_checkout_attributes)
+          else
+            # We current allow update requests without any parameters in them.
+            {}
+          end
+        end
+
+        def massaged_params
+          massaged_params = params.deep_dup
+
+          if params[:payment_source].present?
+            ActiveSupport::Deprecation.warn("Passing payment_source is deprecated. Send source parameters inside payments_attributes[:source_attributes].", caller)
+            move_payment_source_into_payments_attributes(massaged_params)
+          end
+
+          if params[:order] && params[:order][:existing_card].present?
+            ActiveSupport::Deprecation.warn("Passing order[:existing_card] is deprecated. Send existing_card_id inside of payments_attributes[:source_attributes].", caller)
+            move_existing_card_into_payments_attributes(massaged_params)
+          end
+
+          set_payment_parameters_amount(massaged_params, @order)
+
+          massaged_params
+        end
+
         # Should be overriden if you have areas of your checkout that don't match
         # up to a step within checkout_steps, such as a registration step
         def skip_state_validation?

data/app/controllers/spree/api/orders_controller.rb

@@ -27,24 +27,8 @@ module Spree
 
       def create
         authorize! :create, Order
-
-        if can?(:admin, Order)
-          order_user = if order_params[:user_id]
-            Spree.user_class.find(order_params[:user_id])
-          else
-            current_api_user
-          end
-
-          @order = Spree::Core::Importer::Order.import(order_user, order_params)
-          respond_with(@order, default_template: :show, status: 201)
-        else
-          @order = Spree::Order.create!(user: current_api_user, store: current_store)
-          if @order.contents.update_cart(order_params)
-            respond_with(@order, default_template: :show, status: 201)
-          else
-            invalid_resource!(@order)
-          end
-        end
+        @order = Spree::Core::Importer::Order.import(determine_order_user, order_params)
+        respond_with(@order, default_template: :show, status: 201)
       end
 
       def empty
@@ -125,6 +109,15 @@ module Spree
         params[:order][:bill_address_attributes] = params[:order].delete(:bill_address) if params[:order][:bill_address].present?
       end
 
+      # @api public
+      def determine_order_user
+        if order_params[:user_id].present?
+          Spree.user_class.find(order_params[:user_id])
+        else
+          current_api_user
+        end
+      end
+
       def permitted_order_attributes
         can?(:admin, Spree::Order) ? (super + admin_order_attributes) : super
       end

data/app/controllers/spree/api/payments_controller.rb

@@ -17,8 +17,7 @@ module Spree
       end
 
       def create
-        @order.validate_payments_attributes(payment_params)
-        @payment = @order.payments.build(payment_params)
+        @payment = PaymentCreate.new(@order, payment_params).build
         if @payment.save
           respond_with(@payment, status: 201, default_template: :show)
         else

data/app/controllers/spree/api/products_controller.rb

@@ -5,7 +5,7 @@ module Spree
       def index
         if params[:ids]
           ids = params[:ids].split(",").flatten
-          @products = product_scope.where(:id => ids)
+          @products = product_scope.where(id: ids)
         else
           @products = product_scope.ransack(params[:q]).result
         end
@@ -59,14 +59,14 @@ module Spree
       #
       def create
         authorize! :create, Product
-        params[:product][:available_on] ||= Time.now
+        params[:product][:available_on] ||= Time.current
         set_up_shipping_category
 
         options = { variants_attrs: variants_params, options_attrs: option_types_params }
         @product = Core::Importer::Product.new(nil, product_params, options).create
 
         if @product.persisted?
-          respond_with(@product, :status => 201, :default_template => :show)
+          respond_with(@product, status: 201, default_template: :show)
         else
           invalid_resource!(@product)
         end
@@ -80,7 +80,7 @@ module Spree
         @product = Core::Importer::Product.new(@product, product_params, options).update
 
         if @product.errors.empty?
-          respond_with(@product.reload, :status => 200, :default_template => :show)
+          respond_with(@product.reload, status: 200, default_template: :show)
         else
           invalid_resource!(@product)
         end

data/app/controllers/spree/api/shipments_controller.rb

@@ -116,11 +116,12 @@ module Spree
 
       def find_shipment
         if @order.present?
-          @shipment = @order.shipments.accessible_by(current_ability, :update).find_by!(number: params[:id])
+          @shipment = @order.shipments.find_by!(number: params[:id])
         else
-          @shipment = Spree::Shipment.accessible_by(current_ability, :update).readonly(false).find_by!(number: params[:id])
+          @shipment = Spree::Shipment.readonly(false).find_by!(number: params[:id])
           @order = @shipment.order
         end
+        authorize! :update, @shipment
       end
 
       def update_shipment

data/solidus_api.gemspec

@@ -1,5 +1,5 @@
 # -*- encoding: utf-8 -*-
-version = File.read(File.expand_path("../../SOLIDUS_VERSION", __FILE__)).strip
+require_relative '../core/lib/spree/core/version.rb'
 
 Gem::Specification.new do |gem|
   gem.author        = 'Solidus Team'
@@ -14,9 +14,9 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.name          = "solidus_api"
   gem.require_paths = ["lib"]
-  gem.version       = version
+  gem.version         = Spree.solidus_version
 
-  gem.add_dependency 'solidus_core', version
+  gem.add_dependency 'solidus_core', gem.version
   gem.add_dependency 'rabl', ['>= 0.9.4.pre1', '< 0.12.0']
   gem.add_dependency 'versioncake', '~> 2.3.1'
 end

data/spec/controllers/spree/api/checkouts_controller_spec.rb

@@ -106,7 +106,7 @@ module Spree
           expect(response.status).to eq(200)
         end
 
-        # Regression Spec for #5389 & #5880
+        # Regression Spec for https://github.com/spree/spree/issues/5389 and https://github.com/spree/spree/issues/5880
         it "can update addresses but not transition to delivery w/o shipping setup" do
           Spree::ShippingMethod.destroy_all
           api_put :update,
@@ -119,7 +119,7 @@ module Spree
           expect(response.status).to eq(422)
         end
 
-        # Regression test for #4498
+        # Regression test for https://github.com/spree/spree/issues/4498
         it "does not contain duplicate variant data in delivery return" do
           api_put :update,
             id: order.to_param, order_token: order.guest_token,
@@ -163,19 +163,6 @@ module Spree
         expect(response.status).to eq(200)
       end
 
-      context "with disallowed payment method" do
-        it "returns not found" do
-          order.update_column(:state, "payment")
-          allow_any_instance_of(Spree::Gateway::Bogus).to receive(:source_required?).and_return(false)
-          @payment_method.update!(display_on: "back_end")
-          expect {
-            api_put :update, id: order.to_param, order_token: order.guest_token, order: { payments_attributes: [{ payment_method_id: @payment_method.id }] }
-          }.not_to change { Spree::Payment.count }
-          expect(response.status).to eq(404)
-        end
-      end
-
-
       it "returns errors when source is required and missing" do
         order.update_column(:state, "payment")
         api_put :update, :id => order.to_param, :order_token => order.guest_token,
@@ -185,6 +172,29 @@ module Spree
         expect(source_errors).to include("can't be blank")
       end
 
+      describe 'setting the payment amount' do
+        let(:params) do
+          {
+            id: order.to_param,
+            order_token: order.guest_token,
+            order: {
+              payments_attributes: [
+                {
+                  payment_method_id: @payment_method.id.to_s,
+                  source_attributes: attributes_for(:credit_card),
+                },
+              ],
+            },
+          }
+        end
+
+        it 'sets the payment amount to the order total' do
+          api_put(:update, params)
+          expect(response.status).to eq(200)
+          expect(json_response['payments'][0]['amount']).to eq(order.total.to_s)
+        end
+      end
+
       describe 'payment method with source and transition from payment to confirm' do
         before do
           order.update_column(:state, "payment")
@@ -299,19 +309,78 @@ module Spree
         end
       end
 
-      it "allow users to reuse a credit card" do
-        order.update_column(:state, "payment")
-        credit_card = create(:credit_card, user_id: order.user_id, payment_method_id: @payment_method.id)
+      context 'reusing a credit card' do
+        before do
+          order.update_column(:state, "payment")
+        end
 
-        api_put :update, id: order.to_param, order_token: order.guest_token,
-          order: { existing_card: credit_card.id }
+        let(:params) do
+          {
+            id: order.to_param,
+            order_token: order.guest_token,
+            order: {
+              payments_attributes: [
+                {
+                  source_attributes: {
+                    existing_card_id: credit_card.id.to_s,
+                    verification_value: '456',
+                  }
+                },
+              ],
+            },
+          }
+        end
+
+        let!(:credit_card) do
+          create(:credit_card, user_id: order.user_id, payment_method_id: @payment_method.id)
+        end
+
+        it 'succeeds' do
+          # unfortunately the credit card gets reloaded by `@order.next` before
+          # the controller action finishes so this is the best way I could think
+          # of to test that the verification_value gets set.
+          expect_any_instance_of(Spree::CreditCard).to(
+            receive(:verification_value=).with('456').and_call_original
+          )
+
+          api_put(:update, params)
+
+          expect(response.status).to eq 200
+          expect(order.credit_cards).to match_array [credit_card]
+        end
 
-        expect(response.status).to eq 200
-        expect(order.credit_cards).to match_array [credit_card]
+        context 'with deprecated existing_card parameters' do
+          let(:params) do
+            {
+              id: order.to_param,
+              order_token: order.guest_token,
+              order: {
+                existing_card: credit_card.id.to_s,
+              },
+              cvc_confirm: '456',
+            }
+          end
+
+          it 'succeeds' do
+            # unfortunately the credit card gets reloaded by `@order.next` before
+            # the controller action finishes so this is the best way I could think
+            # of to test that the verification_value gets set.
+            expect_any_instance_of(Spree::CreditCard).to(
+              receive(:verification_value=).with('456').and_call_original
+            )
+
+            ActiveSupport::Deprecation.silence do
+              api_put(:update, params)
+            end
+
+            expect(response.status).to eq 200
+            expect(order.credit_cards).to match_array [credit_card]
+          end
+        end
       end
 
       it "can transition from confirm to complete" do
-        order.update_columns(completed_at: Time.now, state: 'complete')
+        order.update_columns(completed_at: Time.current, state: 'complete')
         allow_any_instance_of(Spree::Order).to receive_messages(payment_required?: false)
         api_put :update, id: order.to_param, order_token: order.guest_token
         expect(json_response['state']).to eq('complete')
@@ -319,13 +388,13 @@ module Spree
       end
 
       it "returns the order if the order is already complete" do
-        order.update_columns(completed_at: Time.now, state: 'complete')
+        order.update_columns(completed_at: Time.current, state: 'complete')
         api_put :update, id: order.to_param, order_token: order.guest_token
         expect(json_response['number']).to eq(order.number)
         expect(response.status).to eq(200)
       end
 
-      # Regression test for #3784
+      # Regression test for https://github.com/spree/spree/issues/3784
       it "can update the special instructions for an order" do
         instructions = "Don't drop it. (Please)"
         api_put :update, id: order.to_param, order_token: order.guest_token,

data/spec/controllers/spree/api/classifications_controller_spec.rb

@@ -37,7 +37,7 @@ module Spree
       end
 
       it "should touch the taxon" do
-        taxon.update_attributes(updated_at: Time.now - 10.seconds)
+        taxon.update_attributes(updated_at: Time.current - 10.seconds)
         taxon_last_updated_at = taxon.updated_at
         api_put :update, taxon_id: taxon, product_id: last_product, position: 0
         taxon.reload

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -29,62 +29,46 @@ module Spree
 
     describe "POST create" do
       let(:target_user) { create :user }
-      let(:date_override) { Time.parse('2015-01-01') }
-      let(:attributes) { { user_id: target_user.id, created_at: date_override, email: target_user.email } }
+      let(:date_override) { 3.days.ago }
 
-      subject { api_post :create, order: attributes }
+      before do
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          and_return(true)
+
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          with(:admin, Spree::Order).
+          and_return(can_admin)
+
+        allow(Spree.user_class).to receive(:find).
+          with(target_user.id).
+          and_return(target_user)
+      end
+
+      subject { api_post :create, order: { user_id: target_user.id, created_at: date_override, email: target_user.email } }
 
       context "when the current user cannot administrate the order" do
-        stub_authorization! do |_|
-          can :create, Spree::Order
-        end
+        let(:can_admin) { false }
 
         it "does not include unpermitted params, or allow overriding the user", focus: true do
+          expect(Spree::Core::Importer::Order).to receive(:import).
+            once.
+            with(current_api_user, { "email" => target_user.email }).
+            and_call_original
           subject
-          expect(response).to be_success
-          order = Spree::Order.last
-          expect(order.user).to eq current_api_user
-          expect(order.email).to eq target_user.email
         end
 
         it { is_expected.to be_success }
-
-        context 'creating payment' do
-          let(:attributes) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
-
-          context "with allowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "allowed" ) }
-            it { is_expected.to be_success }
-            it "creates a payment" do
-              expect {
-                subject
-              }.to change { Spree::Payment.count }.by(1)
-            end
-          end
-
-          context "with disallowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "forbidden", display_on: "back_end") }
-            it { is_expected.to be_not_found }
-            it "creates no payments" do
-              expect {
-                subject
-              }.not_to change { Spree::Payment.count }
-            end
-          end
-        end
       end
 
       context "when the current user can administrate the order" do
-        stub_authorization! do |_|
-          can [:admin, :create], Spree::Order
-        end
+        let(:can_admin) { true }
 
         it "it permits all params and allows overriding the user" do
+          expect(Spree::Core::Importer::Order).to receive(:import).
+            once.
+            with(target_user, { "user_id" => target_user.id, "created_at" => date_override, "email" => target_user.email}).
+            and_call_original
           subject
-          order = Spree::Order.last
-          expect(order.user).to eq target_user
-          expect(order.email).to eq target_user.email
-          expect(order.created_at).to eq date_override
         end
 
         it { is_expected.to be_success }
@@ -97,65 +81,41 @@ module Spree
       let(:can_admin) { false }
       subject { api_put :update, id: order.to_param, order: order_params }
 
-      context "when the user cannot administer the order" do
-        stub_authorization! do |_|
-          can [:update], Spree::Order
-        end
-
-        it "updates the user's email" do
-          expect {
-            subject
-          }.to change { order.reload.email }.to("foo@foobar.com")
-        end
-
-        it { is_expected.to be_success }
-
-        it "does not associate users" do
-          expect {
-            subject
-          }.not_to change { order.reload.user }
-        end
+      before do
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          and_return(true)
 
-        it "does not change forbidden attributes" do
-          expect {
-            subject
-          }.to_not change{ order.reload.number }
-        end
+        allow(Spree::Order).to receive(:find_by!).
+          with(number: order.number).
+          and_return(order)
 
-        context 'creating payment' do
-          let(:order_params) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
+        allow(Spree.user_class).to receive(:find).
+          with(user.id).
+          and_return(user)
 
-          context "with allowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "allowed" ) }
-            it { is_expected.to be_success }
-            it "creates a payment" do
-              expect {
-                subject
-              }.to change { Spree::Payment.count }.by(1)
-            end
-          end
+        allow_any_instance_of(Spree::Ability).to receive(:can?).
+          with(:admin, Spree::Order).
+          and_return(can_admin)
+      end
 
-          context "with disallowed payment method" do
-            let!(:payment_method) { create(:check_payment_method, name: "forbidden", display_on: "back_end") }
-            it { is_expected.to be_not_found }
-            it "creates no payments" do
-              expect {
-                subject
-              }.not_to change { Spree::Payment.count }
-            end
-          end
-        end
+      it "updates the cart contents" do
+        expect(order.contents).to receive(:update_cart).
+          once.
+          with({"email" => "foo@foobar.com"})
+        subject
       end
 
+      it { is_expected.to be_success }
+
       context "when the user can administer the order" do
-        stub_authorization! do |_|
-          can [:admin, :update], Spree::Order
-        end
+        let(:can_admin) { true }
 
         it "will associate users" do
-          expect {
-            subject
-          }.to change { order.reload.user }.to(user)
+          expect(order).to receive(:associate_user!).
+            once.
+            with(user)
+
+          subject
         end
 
         it "updates the otherwise forbidden attributes" do
@@ -163,6 +123,17 @@ module Spree
             to("anothernumber")
         end
       end
+
+      context "when the user cannot administer the order" do
+        it "does not associate users" do
+          expect(order).to_not receive(:associate_user!)
+          subject
+        end
+
+        it "does not change forbidden attributes" do
+          expect{subject}.to_not change{order.reload.number}
+        end
+      end
     end
 
     it "cannot view all orders" do
@@ -214,9 +185,9 @@ module Spree
       end
 
       it "returns orders in reverse chronological order by completed_at" do
-        order.update_columns completed_at: Time.now
+        order.update_columns completed_at: Time.current
 
-        order2 = Order.create user: order.user, completed_at: Time.now - 1.day, store: store
+        order2 = Order.create user: order.user, completed_at: Time.current - 1.day, store: store
         expect(order2.created_at).to be > order.created_at
         order3 = Order.create user: order.user, completed_at: nil, store: store
         expect(order3.created_at).to be > order2.created_at
@@ -313,7 +284,7 @@ module Spree
       expect(json_response["checkout_steps"]).to eq(%w[address delivery confirm complete])
     end
 
-    # Regression test for #1992
+    # Regression test for https://github.com/spree/spree/issues/1992
     it "can view an order not in a standard state" do
       allow_any_instance_of(Order).to receive_messages :user => current_api_user
       order.update_column(:state, 'shipped')
@@ -350,7 +321,7 @@ module Spree
     end
 
     it "cannot cancel an order that doesn't belong to them" do
-      order.update_attribute(:completed_at, Time.now)
+      order.update_attribute(:completed_at, Time.current)
       order.update_attribute(:shipment_state, "ready")
       api_put :cancel, :id => order.to_param
       assert_unauthorized!
@@ -379,15 +350,18 @@ module Spree
       expect(json_response['email']).to eq "guest@spreecommerce.com"
     end
 
-    # Regression test for #3404
+    # Regression test for https://github.com/spree/spree/issues/3404
     it "can specify additional parameters for a line item" do
-      expect_any_instance_of(Spree::LineItem).to receive(:special=).with("foo")
+      expect(Order).to receive(:create!).and_return(order = Spree::Order.new)
+      allow(order).to receive(:associate_user!)
+      allow(order).to receive_message_chain(:contents, :add).and_return(line_item = double('LineItem'))
+      expect(line_item).to receive(:update_attributes!).with("special" => true)
 
       allow(controller).to receive_messages(permitted_line_item_attributes: [:id, :variant_id, :quantity, :special])
       api_post :create, :order => {
         :line_items => {
           "0" => {
-            variant_id: variant.to_param, quantity: 5, special: "foo"
+            :variant_id => variant.to_param, :quantity => 5, :special => true
           }
         }
       }
@@ -418,7 +392,7 @@ module Spree
     end
 
     it "can create an order without any parameters" do
-      expect { api_post :create }.not_to raise_error
+      api_post :create
       expect(response.status).to eq(201)
       expect(json_response["state"]).to eq("cart")
     end
@@ -628,7 +602,7 @@ module Spree
             expect(json_response["shipments"]).not_to be_empty
             shipment = json_response["shipments"][0]
             # Test for correct shipping method attributes
-            # Regression test for #3206
+            # Regression test for https://github.com/spree/spree/issues/3206
             expect(shipment["shipping_methods"]).not_to be_nil
             json_shipping_method = shipment["shipping_methods"][0]
             expect(json_shipping_method["id"]).to eq(shipping_method.id)
@@ -638,7 +612,7 @@ module Spree
             expect(json_shipping_method["shipping_categories"]).not_to be_empty
 
             # Test for correct shipping rates attributes
-            # Regression test for #3206
+            # Regression test for https://github.com/spree/spree/issues/3206
             expect(shipment["shipping_rates"]).not_to be_nil
             shipping_rate = shipment["shipping_rates"][0]
             expect(shipping_rate["name"]).to eq(json_shipping_method["name"])
@@ -709,7 +683,7 @@ module Spree
           expect(json_response["pages"]).to eq(1)
         end
 
-        # Test for #1763
+        # Test for https://github.com/spree/spree/issues/1763
         it "can control the page size through a parameter" do
           api_get :index, :per_page => 1
           expect(json_response["orders"].count).to eq(1)
@@ -741,7 +715,7 @@ module Spree
 
       context "creation" do
         it "can create an order without any parameters" do
-          expect { api_post :create }.not_to raise_error
+          api_post :create
           expect(response.status).to eq(201)
           order = Order.last
           expect(json_response["state"]).to eq("cart")
@@ -780,7 +754,7 @@ module Spree
         before do
           Spree::Config[:mails_from] = "spree@example.com"
 
-          order.completed_at = Time.now
+          order.completed_at = Time.current
           order.state = 'complete'
           order.shipment_state = 'ready'
           order.save!

data/spec/controllers/spree/api/payments_controller_spec.rb

@@ -43,17 +43,6 @@ module Spree
             expect(response.status).to eq(201)
             expect(json_response).to have_attributes(attributes)
           end
-
-          context "disallowed payment method" do
-            it "does not create a new payment" do
-              PaymentMethod.first.update!(display_on: "back_end")
-
-              expect {
-                api_post :create, payment: { payment_method_id: PaymentMethod.first.id, amount: 50 }
-              }.not_to change { Spree::Payment.count }
-              expect(response.status).to eq(404)
-            end
-          end
         end
 
         context "payment source is required" do

data/spec/controllers/spree/api/products_controller_spec.rb

@@ -6,7 +6,7 @@ module Spree
     render_views
 
     let!(:product) { create(:product) }
-    let!(:inactive_product) { create(:product, available_on: Time.now.tomorrow, name: "inactive") }
+    let!(:inactive_product) { create(:product, available_on: Time.current.tomorrow, name: "inactive") }
     let(:base_attributes) { Api::ApiHelpers.product_attributes }
     let(:show_attributes) { base_attributes.dup.push(:has_variants) }
     let(:new_attributes) { base_attributes }
@@ -222,7 +222,7 @@ module Spree
         expect(json_response["pages"]).to eq(1)
       end
 
-      # Regression test for #1626
+      # Regression test for https://github.com/spree/spree/issues/1626
       context "deleted products" do
         before do
           create(:product, :deleted_at => 1.day.ago)
@@ -305,14 +305,14 @@ module Spree
           expect(json_response["taxon_ids"]).to eq([taxon_1.id,])
         end
 
-        # Regression test for #4123
+        # Regression test for https://github.com/spree/spree/issues/4123
         it "puts the created product in the given taxons" do
           product_data[:taxon_ids] = [taxon_1.id, taxon_2.id].join(',')
           api_post :create, :product => product_data
           expect(json_response["taxon_ids"]).to eq([taxon_1.id, taxon_2.id])
         end
 
-        # Regression test for #2140
+        # Regression test for https://github.com/spree/spree/issues/2140
         context "with authentication_required set to false" do
           before do
             Spree::Api::Config.requires_authentication = false
@@ -334,8 +334,7 @@ module Spree
           expect(response.status).to eq(422)
           expect(json_response["error"]).to eq("Invalid resource. Please fix errors and try again.")
           errors = json_response["errors"]
-          errors.delete("slug") # Don't care about this one.
-          expect(errors.keys).to match_array(["name", "price", "shipping_category_id"])
+          expect(errors.keys).to include("name", "price", "shipping_category_id")
         end
       end
 
@@ -392,13 +391,13 @@ module Spree
           expect(json_response["errors"]["name"]).to eq(["can't be blank"])
         end
 
-        # Regression test for #4123
+        # Regression test for https://github.com/spree/spree/issues/4123
         it "puts the created product in the given taxon" do
           api_put :update, :id => product.to_param, :product => {:taxon_ids => taxon_1.id.to_s}
           expect(json_response["taxon_ids"]).to eq([taxon_1.id])
         end
 
-        # Regression test for #4123
+        # Regression test for https://github.com/spree/spree/issues/4123
         it "puts the created product in the given taxons" do
           api_put :update, :id => product.to_param, :product => {:taxon_ids => [taxon_1.id, taxon_2.id].join(',')}
           expect(json_response["taxon_ids"]).to match_array([taxon_1.id, taxon_2.id])

data/spec/controllers/spree/api/shipments_controller_spec.rb

@@ -14,12 +14,27 @@ describe Spree::Api::ShipmentsController, :type => :controller do
   context "as a non-admin" do
     it "cannot make a shipment ready" do
       api_put :ready
-      assert_not_found!
+      assert_unauthorized!
     end
 
     it "cannot make a shipment shipped" do
       api_put :ship
-      assert_not_found!
+      assert_unauthorized!
+    end
+
+    it "cannot remove order contents from shipment" do
+      api_put :remove
+      assert_unauthorized!
+    end
+
+    it "cannot add contents to the shipment" do
+      api_put :add
+      assert_unauthorized!
+    end
+
+    it "cannot update the shipment" do
+      api_put :update
+      assert_unauthorized!
     end
   end
 
@@ -220,7 +235,7 @@ describe Spree::Api::ShipmentsController, :type => :controller do
           subject
           shipment.reload
           expect(shipment.state).to eq 'shipped'
-          expect(shipment.shipped_at.to_i).to eq Time.now.to_i
+          expect(shipment.shipped_at.to_i).to eq Time.current.to_i
         end
       end
 
@@ -279,9 +294,9 @@ describe Spree::Api::ShipmentsController, :type => :controller do
         }.not_to change(shipment, :shipped_at)
       end
 
-      it "responds with a 404" do
+      it "responds with a 401" do
         subject
-        expect(response).to be_not_found
+        expect(response).to be_unauthorized
       end
     end
   end

data/spec/controllers/spree/api/stock_transfers_controller_spec.rb

@@ -52,7 +52,7 @@ module Spree
 
           before do
             stock_transfer.finalize(user)
-            stock_transfer.ship(shipped_at: Time.now)
+            stock_transfer.ship(shipped_at: Time.current)
             stock_transfer.source_location.stock_item(transfer_item.variant_id).set_count_on_hand(0)
           end
 

data/spec/controllers/spree/api/taxons_controller_spec.rb

@@ -27,7 +27,7 @@ module Spree
         expect(children.first['taxons'].count).to eq 1
       end
 
-      # Regression test for #4112
+      # Regression test for https://github.com/spree/spree/issues/4112
       it "does not include children when asked not to" do
         api_get :index, :taxonomy_id => taxonomy.id, :without_children => 1
 

data/spec/controllers/spree/api/transfer_items_controller_spec.rb

@@ -134,7 +134,7 @@ module Spree
 
         context "has been finalized" do
           before do
-            stock_transfer.update_attributes(finalized_at: Time.now)
+            stock_transfer.update_attributes(finalized_at: Time.current)
           end
 
           it "returns an error status code" do

data/spec/controllers/spree/api/variants_controller_spec.rb

@@ -72,10 +72,10 @@ module Spree
 
       end
 
-      # Regression test for #2141
+      # Regression test for https://github.com/spree/spree/issues/2141
       context "a deleted variant" do
         before do
-          variant.update_column(:deleted_at, Time.now)
+          variant.update_column(:deleted_at, Time.current)
         end
 
         it "is not returned in the results" do
@@ -223,10 +223,10 @@ module Spree
       sign_in_as_admin!
       let(:resource_scoping) { { :product_id => variant.product.to_param } }
 
-      # Test for #2141
+      # Test for https://github.com/spree/spree/issues/2141
       context "deleted variants" do
         before do
-          variant.update_column(:deleted_at, Time.now)
+          variant.update_column(:deleted_at, Time.current)
         end
 
         it "are visible by admin" do

data/spec/models/spree/legacy_user_spec.rb

@@ -26,29 +26,75 @@ module Spree
       expect { user.clear_spree_api_key }.to change(user, :spree_api_key).to be_blank
     end
 
-    context "admin role auto-api-key grant" do # so the admin user can do admin api actions
-      let(:user) { create(:user) }
-      before { expect(user.spree_roles).to be_blank }
-      subject { user.spree_roles << role }
+    context "auto-api-key grant" do
+      context "after role user create" do
+        let(:user) { create(:user) }
+        before { expect(user.spree_roles).to be_blank }
+        subject { user.spree_roles << role }
 
-      context "admin role" do
-        let(:role) { create(:role, name: "admin") }
+        context "roles_for_auto_api_key default" do
+          let(:role) { create(:role, name: "admin") }
+
+          context "the user has no api key" do
+            before { user.clear_spree_api_key! }
+            it { expect { subject }.to change { user.reload.spree_api_key }.from(nil) }
+          end
+
+          context "the user already has an api key" do
+            before { user.generate_spree_api_key! }
+            it { expect { subject }.not_to change { user.reload.spree_api_key } }
+          end
+        end
+
+        context "roles_for_auto_api_key is defined" do
+          let (:role) { create(:role, name: 'hobbit') }
+          let(:undesired_role) { create(:role, name: "foo") }
+
+          before {
+            user.clear_spree_api_key!
+            Spree::Config.roles_for_auto_api_key = ['hobbit']
+          }
 
-        context "the user has no api key" do
-          before { user.clear_spree_api_key! }
           it { expect { subject }.to change { user.reload.spree_api_key }.from(nil) }
+          it { expect { user.spree_roles << undesired_role }.not_to change { user.reload.spree_api_key } }
         end
 
-        context "the user already has an api key" do
-          before { user.generate_spree_api_key! }
-          it { expect { subject }.not_to change { user.reload.spree_api_key } }
+        context "for all roles" do
+          let (:role) { create(:role, name: 'hobbit') }
+          let (:other_role) { create(:role, name: 'wizard') }
+          let (:other_user) { create(:user) }
+
+          before {
+            user.clear_spree_api_key!
+            other_user.clear_spree_api_key!
+            Spree::Config.generate_api_key_for_all_roles = true
+          }
+
+          it { expect { subject }.to change { user.reload.spree_api_key }.from(nil) }
+          it { expect { other_user.spree_roles << other_role }.to change { other_user.reload.spree_api_key }.from(nil) }
         end
       end
 
-      context "non-admin role" do
-        let(:role) { create(:role, name: "foo") }
-        before { user.clear_spree_api_key! }
-        it { expect { subject }.not_to change { user.reload.spree_api_key } }
+      context "after user create" do
+        let(:user) { LegacyUser.new }
+
+        context "generate_api_key_for_all_roles" do
+          it "does not grant api key default" do
+            expect(user.spree_api_key).to eq(nil)
+
+            user.save!
+            expect(user.spree_api_key).to eq(nil)
+          end
+
+          it "grants an api key on create when set to true" do
+            Spree::Config.generate_api_key_for_all_roles = true
+
+            expect(user.spree_api_key).to eq(nil)
+
+            user.save!
+            expect(user.spree_api_key).not_to eq(nil)
+          end
+        end
       end
     end
   end

data/spec/spec_helper.rb

@@ -30,7 +30,6 @@ Dir[File.dirname(__FILE__) + "/support/**/*.rb"].each {|f| require f}
 
 require 'spree/testing_support/factories'
 require 'spree/testing_support/preferences'
-require 'spree/testing_support/authorization_helpers'
 
 require 'spree/api/testing_support/caching'
 require 'spree/api/testing_support/helpers'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_api
 version: !ruby/object:Gem::Version
-  version: 1.1.4
+  version: 1.2.0.beta1
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-12 00:00:00.000000000 Z
+date: 2016-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.4
+        version: 1.2.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.4
+        version: 1.2.0.beta1
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement
@@ -279,12 +279,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: REST API for the Solidus e-commerce framework.