solidus_api 2.10.3 → 2.11.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c84c03d908227e7072721b7a0a268e296c85606bd4b8f08dc538e052e6d8393
-  data.tar.gz: 3d4dcc56d49982aa91a6f73d86ac9ed6db4689c4e9b8a5e3fdfe846b91f94c57
+  metadata.gz: 75de9120186ffc6697dacf05b5df0ca7b531edffbb6c7c765e268ca3af3b4a35
+  data.tar.gz: b658c71252435588cf5b5d05fa168238e24088f20e40f6fec15f2acaf70f6cc1
 SHA512:
-  metadata.gz: 820e2d062e1ef2799bb70d5e67a25913ea0bfd0369a7934e6d22fe986a92a769b9a9b647f44f29842d34dec0f75988cf4172cf2ea5f41e30e2c866998718f45c
-  data.tar.gz: d53e4197d27d38b015146a71566a42b2e916134647fc4017ebdd123144bfd721b09897f40e67816d643d1f5fc2d1db2c1c074a35576a32d061fb3998c92aede1
+  metadata.gz: 7712941de737d98173d1b636e05b4085049bbaf66ed5440cdfc60f95ca411a4ca1abf66802772c76d7313704898865b05154b226d959af88332878009aed6cae
+  data.tar.gz: e4786bca23b4766c3af2a4872b74d0602f601fc0371ec97901297636d0916a90f9d03e22a850238f9179b2ee5ba0f4302dcefbfe0402f93abeb07dfc93c89447

data/README.md

@@ -20,9 +20,9 @@ If you want to contribute, you can use [Stoplight Studio][studio]. Simply
 follow these steps:
 
 1. Create a new Stoplight Studio project
-2. Copy-paste the content of `openapi/api.oas2.yml` into your project
+2. Copy-paste the content of `openapi/solidus-api.oas.yml` into your project
 3. Edit the endpoints and models as needed
-4. Copy-paste the result back into `openapi/api.oas2.yml`
+4. Copy-paste the result back into `openapi/solidus-api.oas.yml`
 5. Open a PR!
 
 **Note: Only use embedded models in Stoplight Studio, as Stoplight Docs is

data/app/controllers/spree/api/addresses_controller.rb

@@ -6,7 +6,7 @@ module Spree
       before_action :find_order
 
       def show
-        authorize! :read, @order, order_token
+        authorize! :show, @order, order_token
         find_address
         respond_with(@address)
       end

data/app/controllers/spree/api/base_controller.rb

@@ -10,6 +10,7 @@ module Spree
       protect_from_forgery unless: -> { request.format.json? }
 
       include CanCan::ControllerAdditions
+      include Spree::Core::ControllerHelpers::CurrentHost
       include Spree::Core::ControllerHelpers::Store
       include Spree::Core::ControllerHelpers::Pricing
       include Spree::Core::ControllerHelpers::StrongParameters
@@ -28,6 +29,7 @@ module Spree
       rescue_from ActiveRecord::RecordNotFound, with: :not_found
       rescue_from CanCan::AccessDenied, with: :unauthorized
       rescue_from Spree::Core::GatewayError, with: :gateway_error
+      rescue_from StateMachines::InvalidTransition, with: :invalid_transition
 
       helper Spree::Api::ApiHelpers
 
@@ -74,9 +76,10 @@ module Spree
       end
 
       def parameter_missing_error(exception)
+        message = exception.original_message || exception.message
         render json: {
-          exception: exception.message,
-          error: exception.message,
+          exception: message,
+          error: message,
           missing_param: exception.param
         }, status: :unprocessable_entity
       end
@@ -133,13 +136,13 @@ module Spree
 
       def product_scope
         if can?(:admin, Spree::Product)
-          scope = Spree::Product.with_deleted.accessible_by(current_ability, :read).includes(*product_includes)
+          scope = Spree::Product.with_discarded.accessible_by(current_ability).includes(*product_includes)
 
           unless params[:show_deleted]
             scope = scope.not_deleted
           end
         else
-          scope = Spree::Product.accessible_by(current_ability, :read).available.includes(*product_includes)
+          scope = Spree::Product.accessible_by(current_ability).available.includes(*product_includes)
         end
 
         scope
@@ -159,7 +162,7 @@ module Spree
 
       def authorize_for_order
         @order = Spree::Order.find_by(number: order_id)
-        authorize! :read, @order, order_token
+        authorize! :show, @order, order_token
       end
 
       def lock_order
@@ -188,6 +191,12 @@ module Spree
       def default_per_page
         Kaminari.config.default_per_page
       end
+
+      def invalid_transition(error)
+        logger.error("invalid_transition #{error.event} from #{error.from} for #{error.object.class.name}. Error: #{error.inspect}")
+
+        render "spree/api/errors/could_not_transition", locals: { resource: error.object }, status: :unprocessable_entity
+      end
     end
   end
 end

data/app/controllers/spree/api/checkouts_controller.rb

@@ -20,12 +20,8 @@ module Spree
           respond_with(@order, default_template: 'spree/api/orders/expected_total_mismatch', status: 400)
           return
         end
-        authorize! :update, @order, order_token
         @order.next!
         respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
-      rescue StateMachines::InvalidTransition => error
-        logger.error("invalid_transition #{error.event} from #{error.from} for #{error.object.class.name}. Error: #{error.inspect}")
-        respond_with(@order, default_template: 'spree/api/orders/could_not_transition', status: 422)
       end
 
       def advance
@@ -42,9 +38,6 @@ module Spree
           @order.complete!
           respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
         end
-      rescue StateMachines::InvalidTransition => error
-        logger.error("invalid_transition #{error.event} from #{error.from} for #{error.object.class.name}. Error: #{error.inspect}")
-        respond_with(@order, default_template: 'spree/api/orders/could_not_transition', status: 422)
       end
 
       def update
@@ -57,12 +50,9 @@ module Spree
 
           return if after_update_attributes
 
-          if @order.completed? || @order.next
+          if @order.completed? || @order.next!
             state_callback(:after)
             respond_with(@order, default_template: 'spree/api/orders/show')
-          else
-            logger.error("failed_to_transition_errors=#{@order.errors.full_messages}")
-            respond_with(@order, default_template: 'spree/api/orders/could_not_transition', status: 422)
           end
         else
           invalid_resource!(@order)

data/app/controllers/spree/api/countries_controller.rb

@@ -7,7 +7,7 @@ module Spree
 
       def index
         @countries = Spree::Country.
-          accessible_by(current_ability, :read).
+          accessible_by(current_ability).
           ransack(params[:q]).
           result.
           order('name ASC')
@@ -21,7 +21,7 @@ module Spree
       end
 
       def show
-        @country = Spree::Country.accessible_by(current_ability, :read).find(params[:id])
+        @country = Spree::Country.accessible_by(current_ability, :show).find(params[:id])
         respond_with(@country)
       end
     end

data/app/controllers/spree/api/credit_cards_controller.rb

@@ -9,7 +9,7 @@ module Spree
       def index
         @credit_cards = user
           .credit_cards
-          .accessible_by(current_ability, :read)
+          .accessible_by(current_ability)
           .with_payment_profile
           .ransack(params[:q]).result
 
@@ -29,7 +29,7 @@ module Spree
 
       def user
         if params[:user_id].present?
-          @user ||= Spree.user_class.accessible_by(current_ability, :read).find(params[:user_id])
+          @user ||= Spree.user_class.accessible_by(current_ability, :show).find(params[:user_id])
         end
       end
 

data/app/controllers/spree/api/customer_returns_controller.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Spree
+  module Api
+    class CustomerReturnsController < Spree::Api::BaseController
+      before_action :load_order
+      around_action :lock_order, only: [:create, :update, :destroy, :cancel]
+
+      rescue_from Spree::Order::InsufficientStock, with: :insufficient_stock_error
+
+      def create
+        authorize! :create, CustomerReturn
+        @customer_return = CustomerReturn.create(customer_return_params)
+        if @customer_return.save
+          respond_with(@customer_return, status: 201, default_template: :show)
+        else
+          invalid_resource!(@customer_return)
+        end
+      end
+
+      def index
+        authorize! :index, CustomerReturn
+
+        @customer_returns = @order.
+          customer_returns.
+          accessible_by(current_ability).
+          ransack(params[:q]).
+          result
+
+        @customer_returns = paginate(@customer_returns)
+
+        respond_with(@customer_returns)
+      end
+
+      def new
+        authorize! :new, CustomerReturn
+      end
+
+      def show
+        authorize! :show, CustomerReturn
+        @customer_return = @order.customer_returns.accessible_by(current_ability, :show).find(params[:id])
+        respond_with(@customer_return)
+      end
+
+      def update
+        authorize! :update, CustomerReturn
+        @customer_return = @order.customer_returns.accessible_by(current_ability, :update).find(params[:id])
+        if @customer_return.update(customer_return_params)
+          respond_with(@customer_return.reload, default_template: :show)
+        else
+          invalid_resource!(@customer_return)
+        end
+      end
+
+      private
+
+      def load_order
+        @order ||= Spree::Order.find_by!(number: order_id)
+        authorize! :show, @order
+      end
+
+      def customer_return_params
+        params.require(:customer_return).permit(permitted_customer_return_attributes)
+      end
+    end
+  end
+end

data/app/controllers/spree/api/images_controller.rb

@@ -4,12 +4,12 @@ module Spree
   module Api
     class ImagesController < Spree::Api::BaseController
       def index
-        @images = scope.images.accessible_by(current_ability, :read)
+        @images = scope.images.accessible_by(current_ability)
         respond_with(@images)
       end
 
       def show
-        @image = Spree::Image.accessible_by(current_ability, :read).find(params[:id])
+        @image = scope.images.accessible_by(current_ability, :show).find(params[:id])
         respond_with(@image)
       end
 
@@ -20,13 +20,13 @@ module Spree
       end
 
       def update
-        @image = Spree::Image.accessible_by(current_ability, :update).find(params[:id])
+        @image = scope.gallery.images.accessible_by(current_ability, :update).find(params[:id])
         @image.update(image_params)
         respond_with(@image, default_template: :show)
       end
 
       def destroy
-        @image = Spree::Image.accessible_by(current_ability, :destroy).find(params[:id])
+        @image = scope.images.accessible_by(current_ability, :destroy).find(params[:id])
         @image.destroy
         respond_with(@image, status: 204)
       end

data/app/controllers/spree/api/inventory_units_controller.rb

@@ -26,7 +26,7 @@ module Spree
       private
 
       def inventory_unit
-        @inventory_unit ||= Spree::InventoryUnit.accessible_by(current_ability, :read).find(params[:id])
+        @inventory_unit ||= Spree::InventoryUnit.accessible_by(current_ability, :show).find(params[:id])
       end
 
       def prepare_event

data/app/controllers/spree/api/option_types_controller.rb

@@ -5,15 +5,15 @@ module Spree
     class OptionTypesController < Spree::Api::BaseController
       def index
         if params[:ids]
-          @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability, :read).where(id: params[:ids].split(','))
+          @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability).where(id: params[:ids].split(','))
         else
-          @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability, :read).load.ransack(params[:q]).result
+          @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability).load.ransack(params[:q]).result
         end
         respond_with(@option_types)
       end
 
       def show
-        @option_type = Spree::OptionType.accessible_by(current_ability, :read).find(params[:id])
+        @option_type = Spree::OptionType.accessible_by(current_ability, :show).find(params[:id])
         respond_with(@option_type)
       end
 

data/app/controllers/spree/api/option_values_controller.rb

@@ -46,9 +46,9 @@ module Spree
 
       def scope
         if params[:option_type_id]
-          @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability, :read)
+          @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability)
         else
-          @scope ||= Spree::OptionValue.accessible_by(current_ability, :read).load
+          @scope ||= Spree::OptionValue.accessible_by(current_ability).load
         end
       end
 

data/app/controllers/spree/api/orders_controller.rb

@@ -53,7 +53,7 @@ module Spree
       end
 
       def index
-        authorize! :index, Order
+        authorize! :admin, Order
         orders_includes = [
           { user: :store_credits },
           :line_items,

data/app/controllers/spree/api/payments_controller.rb

@@ -62,7 +62,7 @@ module Spree
 
       def find_order
         @order = Spree::Order.find_by(number: order_id)
-        authorize! :read, @order, order_token
+        authorize! :show, @order, order_token
       end
 
       def find_payment

data/app/controllers/spree/api/product_properties_controller.rb

@@ -9,7 +9,7 @@ module Spree
       def index
         @product_properties = @product.
           product_properties.
-          accessible_by(current_ability, :read).
+          accessible_by(current_ability).
           ransack(params[:q]).
           result
 
@@ -36,9 +36,8 @@ module Spree
       end
 
       def update
-        if @product_property
-          authorize! :update, @product_property
-          @product_property.update(product_property_params)
+        authorize! :update, @product_property
+        if @product_property.update(product_property_params)
           respond_with(@product_property, status: 200, default_template: :show)
         else
           invalid_resource!(@product_property)
@@ -46,27 +45,23 @@ module Spree
       end
 
       def destroy
-        if @product_property
-          authorize! :destroy, @product_property
-          @product_property.destroy
-          respond_with(@product_property, status: 204)
-        else
-          invalid_resource!(@product_property)
-        end
+        authorize! :destroy, @product_property
+        @product_property.destroy
+        respond_with(@product_property, status: 204)
       end
 
       private
 
       def find_product
         @product = super(params[:product_id])
-        authorize! :read, @product
+        authorize! :show, @product
       end
 
       def product_property
         if @product
           @product_property ||= @product.product_properties.find_by(id: params[:id])
-          @product_property ||= @product.product_properties.includes(:property).where(spree_properties: { name: params[:id] }).first
-          authorize! :read, @product_property
+          @product_property ||= @product.product_properties.includes(:property).where(spree_properties: { name: params[:id] }).first!
+          authorize! :show, @product_property
         end
       end
 

data/app/controllers/spree/api/promotions_controller.rb

@@ -3,26 +3,17 @@
 module Spree
   module Api
     class PromotionsController < Spree::Api::BaseController
-      before_action :requires_admin
       before_action :load_promotion
 
       def show
-        if @promotion
-          respond_with(@promotion, default_template: :show)
-        else
-          raise ActiveRecord::RecordNotFound
-        end
+        authorize! :show, @promotion
+        respond_with(@promotion, default_template: :show)
       end
 
       private
 
-      def requires_admin
-        return if @current_user_roles.include?("admin")
-        unauthorized && return
-      end
-
       def load_promotion
-        @promotion = Spree::Promotion.find_by(id: params[:id]) || Spree::Promotion.with_coupon_code(params[:id])
+        @promotion = Spree::Promotion.with_coupon_code(params[:id]) || Spree::Promotion.find(params[:id])
       end
     end
   end

data/app/controllers/spree/api/properties_controller.rb

@@ -6,7 +6,7 @@ module Spree
       before_action :find_property, only: [:show, :update, :destroy]
 
       def index
-        @properties = Spree::Property.accessible_by(current_ability, :read)
+        @properties = Spree::Property.accessible_by(current_ability)
 
         if params[:ids]
           ids = params[:ids].split(",").flatten
@@ -59,9 +59,9 @@ module Spree
       private
 
       def find_property
-        @property = Spree::Property.accessible_by(current_ability, :read).find(params[:id])
+        @property = Spree::Property.accessible_by(current_ability, :show).find(params[:id])
       rescue ActiveRecord::RecordNotFound
-        @property = Spree::Property.accessible_by(current_ability, :read).find_by!(name: params[:id])
+        @property = Spree::Property.accessible_by(current_ability, :show).find_by!(name: params[:id])
       end
 
       def property_params

data/app/controllers/spree/api/resource_controller.rb

@@ -4,7 +4,7 @@ class Spree::Api::ResourceController < Spree::Api::BaseController
   before_action :load_resource, only: [:show, :update, :destroy]
 
   def index
-    collection_scope = model_class.accessible_by(current_ability, :read)
+    collection_scope = model_class.accessible_by(current_ability)
     if params[:ids]
       ids = params[:ids].split(",").flatten
       collection_scope = collection_scope.where(id: ids)
@@ -53,7 +53,13 @@ class Spree::Api::ResourceController < Spree::Api::BaseController
   def destroy
     authorize! :destroy, @object
 
-    if @object.destroy
+    destroy_result = if @object.respond_to?(:discard)
+      @object.discard
+    else
+      @object.destroy
+    end
+
+    if destroy_result
       respond_with(@object, status: 204)
     else
       invalid_resource!(@object)
@@ -65,7 +71,7 @@ class Spree::Api::ResourceController < Spree::Api::BaseController
   protected
 
   def load_resource
-    @object = model_class.accessible_by(current_ability, :read).find(params[:id])
+    @object = model_class.accessible_by(current_ability, :show).find(params[:id])
     instance_variable_set("@#{object_name}", @object)
   end