solidus_api 2.10.1 → 2.10.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37c6c38d0717708d6c9949df354f48f7c86c45a1f9a6100489959c566b1baa27
-  data.tar.gz: a60e6f0ec9eeb721e3744527d4ca20ad5682889d20ac5d689af88eef5949d7c6
+  metadata.gz: b7afcbef6dfdc19f02d26c7b3e410f072dc0d6be5a5b7d476b64b3725b1b24b7
+  data.tar.gz: ac898e6b9d5df7e526a5cd9af63a240aed5e2ab46c7ac75ca583b0fb7eb599b1
 SHA512:
-  metadata.gz: 705cef07a794cfce8a220a5a0010a70d7f6d6dd4740f0bc0c640002814581f0de14c99f57255c36d9fbedcee6d7bbdb80fefef88f9e4b392d732667c870585bb
-  data.tar.gz: b019d1f77b2fe581040fc4978486e7338880d33cdad57c1ed9c824705bd699c659b36ece692aff9be6204385cc178a4ec20a089f5bbf1076abfb9c4adbd9e0a8
+  metadata.gz: ce175516b04998e778b53e3d1ae47fc1a04c2ef4146a68000bc8745d5e267e423054d0e96fb1b02a03fa26ac186210012b84b54fa7592d15df7cf4fcf8e8d39a
+  data.tar.gz: 197562fcd0ea03c6593c21bfb8cb6f8d2424c6ddc3b12cbbc5b83a501976fe724c448a341de063a630daa3cb0f1309687503f5f35ee27536ad4d0a715392c3ea

data/app/controllers/spree/api/checkouts_controller.rb

@@ -76,11 +76,24 @@ module Spree
       end
 
       def update_params
-        if update_params = massaged_params[:order]
-          update_params.permit(permitted_checkout_attributes)
+        state = @order.state
+        case state.to_sym
+        when :cart, :address
+          massaged_params.fetch(:order, {}).permit(
+            permitted_checkout_address_attributes
+          )
+        when :delivery
+          massaged_params.require(:order).permit(
+            permitted_checkout_delivery_attributes
+          )
+        when :payment
+          massaged_params.require(:order).permit(
+            permitted_checkout_payment_attributes
+          )
         else
-          # We current allow update requests without any parameters in them.
-          {}
+          massaged_params.fetch(:order, {}).permit(
+            permitted_checkout_confirm_attributes
+          )
         end
       end
 

data/app/controllers/spree/api/orders_controller.rb

@@ -130,7 +130,13 @@ module Spree
       end
 
       def normalize_params
-        params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
+        if params[:order][:payments]
+          payments_params = params[:order].delete(:payments)
+          params[:order][:payments_attributes] = payments_params.map do |payment_params|
+            payment_params[:source_attributes] = payment_params.delete(:source) if payment_params[:source].present?
+            payment_params
+          end
+        end
         params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
         params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
         params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address].present?

data/openapi/api.oas2.yml

@@ -545,7 +545,7 @@ paths:
         - Variants
       security:
         - api-key: []
-    post:
+    put:
       responses:
         '200':
           description: ''
@@ -4264,7 +4264,7 @@ paths:
         type: string
         required: true
   '/shipments/{shipment_number}/select_shipping_method':
-    get:
+    put:
       responses:
         '200':
           description: ''
@@ -4553,10 +4553,13 @@ paths:
         - Products
       parameters:
         - in: query
-          name: taxon_id
+          name: id
           type: integer
         - $ref: '#/parameters/page'
         - $ref: '#/parameters/per_page'
+        - type: boolean
+          in: query
+          name: simple
       security:
         - api-key: []
 schemes:

data/spec/requests/spree/api/checkouts_controller_spec.rb

@@ -172,6 +172,7 @@ module Spree
       end
 
       describe 'setting the payment amount' do
+        let(:order) { create(:order_with_line_items, state: :payment) }
         let(:params) do
           {
             order_token: order.guest_token,
@@ -322,17 +323,44 @@ module Spree
         end
       end
 
+      it "cannot update attributes of another step" do
+        order.update_column(:state, "payment")
+
+        params = {
+          order_token: order.guest_token,
+          order: {
+            payments_attributes: [
+              {
+                payment_method_id: @payment_method.id.to_s,
+                source_attributes: attributes_for(:credit_card)
+              }
+            ],
+            ship_address_attributes: {
+              zipcode: 'MALICIOUS ZIPCODE'
+            }
+          }
+        }
+        expect do
+          put spree.api_checkout_path(order), params: params
+        end.not_to change { order.reload.ship_address.zipcode }
+        expect(response.status).to eq(200)
+      end
+
       it "returns the order if the order is already complete" do
         order.update_columns(completed_at: Time.current, state: 'complete')
         put spree.api_checkout_path(order.to_param), params: { order_token: order.guest_token }
         assert_unauthorized!
       end
 
-      # Regression test for https://github.com/spree/spree/issues/3784
-      it "can update the special instructions for an order" do
-        instructions = "Don't drop it. (Please)"
-        put spree.api_checkout_path(order.to_param), params: { order_token: order.guest_token, order: { special_instructions: instructions } }
-        expect(json_response['special_instructions']).to eql(instructions)
+      context "in delivery state" do
+        let(:order) { create(:order_with_line_items, state: :delivery) }
+
+        # Regression test for https://github.com/spree/spree/issues/3784
+        it "can update the special instructions for an order" do
+          instructions = "Don't drop it. (Please)"
+          put spree.api_checkout_path(order.to_param), params: { order_token: order.guest_token, order: { special_instructions: instructions } }
+          expect(json_response['special_instructions']).to eql(instructions)
+        end
       end
 
       context "as an admin" do

data/spec/requests/spree/api/orders_controller_spec.rb

@@ -156,6 +156,7 @@ module Spree
         end
 
         context 'creating payment' do
+          let!(:order) { create(:order_with_line_items) }
           let(:order_params) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
 
           context "with allowed payment method" do
@@ -166,6 +167,28 @@ module Spree
                 subject
               }.to change { Spree::Payment.count }.by(1)
             end
+
+            context 'trying to change the address' do
+              let(:order_params) do
+                super().merge(
+                  ship_address_attributes: {
+                    zipcode: '90100'
+                  }
+                )
+              end
+
+              it 'changes the address' do
+                expect {
+                  subject
+                }.to change { order.reload.ship_address.zipcode }
+              end
+
+              it 'invalidates the shipments' do
+                expect {
+                  subject
+                }.to change { order.reload.shipments }.to([])
+              end
+            end
           end
 
           context "with disallowed payment method" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_api
 version: !ruby/object:Gem::Version
-  version: 2.10.1
+  version: 2.10.2
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-14 00:00:00.000000000 Z
+date: 2020-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jbuilder
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.10.1
+        version: 2.10.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.10.1
+        version: 2.10.2
 description: REST API for the Solidus e-commerce framework.
 email: contact@solidus.io
 executables: []