solidus_api 2.2.2 → 2.3.0.beta1

data/spec/{controllers → requests}/spree/api/promotion_application_spec.rb

@@ -1,8 +1,7 @@
 require 'spec_helper'
 
 module Spree::Api
-  describe OrdersController, type: :controller do
-    render_views
+  describe OrdersController, type: :request do
 
     before do
       stub_authentication!
@@ -20,7 +19,7 @@ module Spree::Api
 
       it "can apply a coupon code to the order" do
         expect(order.total).to eq(110.00)
-        api_put :apply_coupon_code, id: order.to_param, coupon_code: "10off", order_token: order.guest_token
+        put spree.apply_coupon_code_api_order_path(order), params: { coupon_code: "10off", order_token: order.guest_token }
         expect(response.status).to eq(200)
         expect(order.reload.total).to eq(109.00)
         expect(json_response["success"]).to eq("The coupon code was successfully applied to your order.")
@@ -37,7 +36,7 @@ module Spree::Api
         end
 
         it "fails to apply" do
-          api_put :apply_coupon_code, id: order.to_param, coupon_code: "10off", order_token: order.guest_token
+          put spree.apply_coupon_code_api_order_path(order), params: { coupon_code: "10off", order_token: order.guest_token }
           expect(response.status).to eq(422)
           expect(json_response["success"]).to be_blank
           expect(json_response["error"]).to eq("The coupon code is expired")

data/spec/{controllers → requests}/spree/api/promotions_controller_spec.rb

@@ -1,16 +1,17 @@
 require 'spec_helper'
 
 module Spree
-  describe Spree::Api::PromotionsController, type: :controller do
-    render_views
+  describe Spree::Api::PromotionsController, type: :request do
 
     shared_examples "a JSON response" do
       it 'should be ok' do
-        expect(subject).to be_ok
+        subject
+        expect(response).to be_ok
       end
 
       it 'should return JSON' do
-        payload = HashWithIndifferentAccess.new(JSON.parse(subject.body))
+        subject
+        payload = HashWithIndifferentAccess.new(JSON.parse(response.body))
         expect(payload).to_not be_nil
         Spree::Api::ApiHelpers.promotion_attributes.each do |attribute|
           expect(payload).to be_has_key(attribute)
@@ -25,7 +26,7 @@ module Spree
     let(:promotion) { create :promotion, code: '10off' }
 
     describe 'GET #show' do
-      subject { api_get :show, id: id }
+      subject { get spree.api_promotion_path(id) }
 
       context 'when admin' do
         sign_in_as_admin!
@@ -46,7 +47,8 @@ module Spree
           let(:id) { 'argh' }
 
           it 'should be 404' do
-            expect(subject.status).to eq(404)
+            subject
+            expect(response.status).to eq(404)
           end
         end
       end

data/spec/{controllers → requests}/spree/api/properties_controller_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 module Spree
-  describe Spree::Api::PropertiesController, type: :controller do
-    render_views
+  describe Spree::Api::PropertiesController, type: :request do
 
     let!(:property_1) { Property.create!(name: "foo", presentation: "Foo") }
     let!(:property_2) { Property.create!(name: "bar", presentation: "Bar") }
@@ -13,65 +12,65 @@ module Spree
     end
 
     it "can see a list of all properties" do
-      api_get :index
+      get spree.api_properties_path
       expect(json_response["properties"].count).to eq(2)
       expect(json_response["properties"].first).to have_attributes(attributes)
     end
 
     it "can control the page size through a parameter" do
-      api_get :index, per_page: 1
+      get spree.api_properties_path, params: { per_page: 1 }
       expect(json_response['properties'].count).to eq(1)
       expect(json_response['current_page']).to eq(1)
       expect(json_response['pages']).to eq(2)
     end
 
     it 'can query the results through a parameter' do
-      api_get :index, q: { name_cont: 'ba' }
+      get spree.api_properties_path, params: { q: { name_cont: 'ba' } }
       expect(json_response['count']).to eq(1)
       expect(json_response['properties'].first['presentation']).to eq property_2.presentation
     end
 
     it "retrieves a list of properties by id" do
-      api_get :index, ids: [property_1.id]
+      get spree.api_properties_path, params: { ids: [property_1.id] }
       expect(json_response["properties"].first).to have_attributes(attributes)
       expect(json_response["count"]).to eq(1)
     end
 
     it "retrieves a list of properties by ids string" do
-      api_get :index, ids: [property_1.id, property_2.id].join(",")
+      get spree.api_properties_path, params: { ids: [property_1.id, property_2.id].join(",") }
       expect(json_response["properties"].first).to have_attributes(attributes)
       expect(json_response["properties"][1]).to have_attributes(attributes)
       expect(json_response["count"]).to eq(2)
     end
 
     it "can see a single property" do
-      api_get :show, id: property_1.id
+      get spree.api_property_path(property_1.id)
       expect(json_response).to have_attributes(attributes)
     end
 
     it "can see a property by name" do
-      api_get :show, id: property_1.name
+      get spree.api_property_path(property_1.name)
       expect(json_response).to have_attributes(attributes)
     end
 
     it "can learn how to create a new property" do
-      api_get :new
+      get spree.new_api_property_path
       expect(json_response["attributes"]).to eq(attributes.map(&:to_s))
       expect(json_response["required_attributes"]).to be_empty
     end
 
     it "cannot create a new property if not an admin" do
-      api_post :create, property: { name: "My Property 3" }
+      post spree.api_properties_path, params: { property: { name: "My Property 3" } }
       assert_unauthorized!
     end
 
     it "cannot update a property" do
-      api_put :update, id: property_1.name, property: { presentation: "my value 456" }
+      put spree.api_property_path(property_1.name), params: { property: { presentation: "my value 456" } }
       assert_unauthorized!
     end
 
     it "cannot delete a property" do
-      api_delete :destroy, id: property_1.id
+      delete spree.api_property_path(property_1.name)
       assert_unauthorized!
       expect { property_1.reload }.not_to raise_error
     end
@@ -81,19 +80,19 @@ module Spree
 
       it "can create a new property" do
         expect(Spree::Property.count).to eq(2)
-        api_post :create, property: { name: "My Property 3", presentation: "my value 3" }
+        post spree.api_properties_path, params: { property: { name: "My Property 3", presentation: "my value 3" } }
         expect(json_response).to have_attributes(attributes)
         expect(response.status).to eq(201)
         expect(Spree::Property.count).to eq(3)
       end
 
       it "can update a property" do
-        api_put :update, id: property_1.name, property: { presentation: "my value 456" }
+        put spree.api_property_path(property_1.name), params: { property: { presentation: "my value 456" } }
         expect(response.status).to eq(200)
       end
 
       it "can delete a property" do
-        api_delete :destroy, id: property_1.name
+        delete spree.api_property_path(property_1.name)
         expect(response.status).to eq(204)
         expect { property_1.reload }.to raise_error(ActiveRecord::RecordNotFound)
       end

data/spec/{controllers → requests}/spree/api/return_authorizations_controller_spec.rb

@@ -1,14 +1,12 @@
 require 'spec_helper'
 
 module Spree
-  describe Api::ReturnAuthorizationsController, type: :controller do
-    render_views
+  describe Api::ReturnAuthorizationsController, type: :request do
 
     let!(:order) { create(:shipped_order) }
 
     let(:product) { create(:product) }
     let(:attributes) { [:id, :memo, :state] }
-    let(:resource_scoping) { { order_id: order.to_param } }
 
     before do
       stub_authentication!
@@ -21,7 +19,7 @@ module Spree
         rma_params = { stock_location_id: stock_location.id,
                        return_reason_id: reason.id,
                        memo: "Defective" }
-        api_post :create, order_id: order.number, return_authorization: rma_params
+        post spree.api_order_return_authorizations_path(order), params: { order_id: order.number, return_authorization: rma_params }
         expect(response.status).to eq(201)
         expect(json_response).to have_attributes(attributes)
         expect(json_response["state"]).not_to be_blank
@@ -34,29 +32,29 @@ module Spree
       end
 
       it "cannot see any return authorizations" do
-        api_get :index
+        get spree.api_order_return_authorizations_path(order)
         assert_unauthorized!
       end
 
       it "cannot see a single return authorization" do
-        api_get :show, id: 1
+        get spree.api_order_return_authorization_path(order, 1)
         assert_unauthorized!
       end
 
       it "cannot learn how to create a new return authorization" do
-        api_get :new
+        get spree.new_api_order_return_authorization_path(order)
         assert_unauthorized!
       end
 
       it_behaves_like "a return authorization creator"
 
       it "cannot update a return authorization" do
-        api_put :update, id: 0
+        put spree.api_order_return_authorization_path(order, 0)
         assert_not_found!
       end
 
       it "cannot delete a return authorization" do
-        api_delete :destroy, id: 0
+        delete spree.api_order_return_authorization_path(order, 0)
         assert_not_found!
       end
     end
@@ -67,7 +65,7 @@ module Spree
       end
 
       it "cannot create a new return authorization" do
-        api_post :create
+        post spree.api_order_return_authorizations_path(order)
         assert_unauthorized!
       end
     end
@@ -78,7 +76,7 @@ module Spree
       it "can show return authorization" do
         FactoryGirl.create(:return_authorization, order: order)
         return_authorization = order.return_authorizations.first
-        api_get :show, order_id: order.number, id: return_authorization.id
+        get spree.api_order_return_authorization_path(order, return_authorization.id)
         expect(response.status).to eq(200)
         expect(json_response).to have_attributes(attributes)
         expect(json_response["state"]).not_to be_blank
@@ -87,7 +85,7 @@ module Spree
       it "can get a list of return authorizations" do
         FactoryGirl.create(:return_authorization, order: order)
         FactoryGirl.create(:return_authorization, order: order)
-        api_get :index, { order_id: order.number }
+        get spree.api_order_return_authorizations_path(order), params: { order_id: order.number }
         expect(response.status).to eq(200)
         return_authorizations = json_response["return_authorizations"]
         expect(return_authorizations.first).to have_attributes(attributes)
@@ -97,7 +95,7 @@ module Spree
       it 'can control the page size through a parameter' do
         FactoryGirl.create(:return_authorization, order: order)
         FactoryGirl.create(:return_authorization, order: order)
-        api_get :index, order_id: order.number, per_page: 1
+        get spree.api_order_return_authorizations_path(order), params: { order_id: order.number, per_page: 1 }
         expect(json_response['count']).to eq(1)
         expect(json_response['current_page']).to eq(1)
         expect(json_response['pages']).to eq(2)
@@ -107,13 +105,13 @@ module Spree
         FactoryGirl.create(:return_authorization, order: order)
         expected_result = create(:return_authorization, memo: 'damaged')
         order.return_authorizations << expected_result
-        api_get :index, q: { memo_cont: 'damaged' }
+        get spree.api_order_return_authorizations_path(order), params: { q: { memo_cont: 'damaged' } }
         expect(json_response['count']).to eq(1)
         expect(json_response['return_authorizations'].first['memo']).to eq expected_result.memo
       end
 
       it "can learn how to create a new return authorization" do
-        api_get :new
+        get spree.new_api_order_return_authorization_path(order)
         expect(json_response["attributes"]).to eq(["id", "number", "state", "order_id", "memo", "created_at", "updated_at"])
         required_attributes = json_response["required_attributes"]
         expect(required_attributes).to include("order")
@@ -122,7 +120,7 @@ module Spree
       it "can update a return authorization on the order" do
         FactoryGirl.create(:return_authorization, order: order)
         return_authorization = order.return_authorizations.first
-        api_put :update, id: return_authorization.id, return_authorization: { memo: "ABC" }
+        put spree.api_order_return_authorization_path(order, return_authorization.id), params: { return_authorization: { memo: "ABC" } }
         expect(response.status).to eq(200)
         expect(json_response).to have_attributes(attributes)
       end
@@ -131,7 +129,7 @@ module Spree
         FactoryGirl.create(:new_return_authorization, order: order)
         return_authorization = order.return_authorizations.first
         expect(return_authorization.state).to eq("authorized")
-        api_delete :cancel, id: return_authorization.id
+        put spree.cancel_api_order_return_authorization_path(order, return_authorization.id)
         expect(response.status).to eq(200)
         expect(return_authorization.reload.state).to eq("canceled")
       end
@@ -139,7 +137,7 @@ module Spree
       it "can delete a return authorization on the order" do
         FactoryGirl.create(:return_authorization, order: order)
         return_authorization = order.return_authorizations.first
-        api_delete :destroy, id: return_authorization.id
+        delete spree.api_order_return_authorization_path(order, return_authorization.id)
         expect(response.status).to eq(204)
         expect { return_authorization.reload }.to raise_error(ActiveRecord::RecordNotFound)
       end
@@ -149,14 +147,14 @@ module Spree
 
     context "as just another user" do
       it "cannot add a return authorization to the order" do
-        api_post :create, return_autorization: { order_id: order.number, memo: "Defective" }
+        post spree.api_order_return_authorizations_path(order), params: { return_autorization: { order_id: order.number, memo: "Defective" } }
         assert_unauthorized!
       end
 
       it "cannot update a return authorization on the order" do
         FactoryGirl.create(:return_authorization, order: order)
         return_authorization = order.return_authorizations.first
-        api_put :update, id: return_authorization.id, return_authorization: { memo: "ABC" }
+        put spree.api_order_return_authorization_path(order, return_authorization.id), params: { return_authorization: { memo: "ABC" } }
         assert_unauthorized!
         expect(return_authorization.reload.memo).not_to eq("ABC")
       end
@@ -164,7 +162,7 @@ module Spree
       it "cannot delete a return authorization on the order" do
         FactoryGirl.create(:return_authorization, order: order)
         return_authorization = order.return_authorizations.first
-        api_delete :destroy, id: return_authorization.id
+        delete spree.api_order_return_authorization_path(order, return_authorization.id)
         assert_unauthorized!
         expect { return_authorization.reload }.not_to raise_error
       end

data/spec/requests/spree/api/shipments_controller_spec.rb

@@ -1,135 +1,441 @@
 require 'spec_helper'
 
-RSpec.describe Spree::Api::ShipmentsController, type: :request do
-  let(:user) { create(:admin_user, spree_api_key: 'abc123') }
-  let(:stock_item) { create(:stock_item, backorderable: false) }
-  let(:variant) { stock_item.variant }
-
-  let(:order) do
-    create(
-      :completed_order_with_totals,
-      user: user,
-      line_items_attributes: [
-        {
-          variant: variant
-        }
-      ]
-    )
+describe Spree::Api::ShipmentsController, type: :request do
+  let!(:shipment) { create(:shipment, inventory_units: [build(:inventory_unit, shipment: nil)]) }
+  let!(:attributes) { [:id, :tracking, :tracking_url, :number, :cost, :shipped_at, :stock_location_name, :order_id, :shipping_rates, :shipping_methods] }
+
+  before do
+    stub_authentication!
   end
 
-  let(:shipment) { order.shipments.first }
+  let!(:resource_scoping) { { id: shipment.to_param, shipment: { order_id: shipment.order.to_param } } }
 
-  describe "POST /api/shipments/transfer_to_location" do
-    let(:stock_location) { create(:stock_location) }
-    let(:source_shipment) { order.shipments.first }
-    let(:parsed_response) { JSON.parse(response.body) }
-    let(:stock_location_id) { stock_location.id }
+  context "as a non-admin" do
+    it "cannot make a shipment ready" do
+      put spree.ready_api_shipment_path(shipment)
+      assert_unauthorized!
+    end
 
-    subject do
-      post "/api/shipments/transfer_to_location.json",
-        params: {
-          original_shipment_number: source_shipment.number,
-          stock_location_id: stock_location_id,
-          quantity: 1,
-          variant_id: variant.id,
-          token: user.spree_api_key
-        }
+    it "cannot make a shipment shipped" do
+      put spree.ship_api_shipment_path(shipment)
+      assert_unauthorized!
     end
 
-    context "for a successful transfer" do
-      before do
-        stock_location.restock(variant, 1)
+    it "cannot remove order contents from shipment" do
+      put spree.remove_api_shipment_path(shipment)
+      assert_unauthorized!
+    end
+
+    it "cannot add contents to the shipment" do
+      put spree.add_api_shipment_path(shipment)
+      assert_unauthorized!
+    end
+
+    it "cannot update the shipment" do
+      put spree.api_shipment_path(shipment)
+      assert_unauthorized!
+    end
+  end
+
+  context "as an admin" do
+    let!(:order) { shipment.order }
+    let!(:stock_location) { create(:stock_location_with_items) }
+    let!(:variant) { create(:variant) }
+
+    sign_in_as_admin!
+
+    # Start writing this spec a bit differently than before....
+    describe 'POST #create' do
+      let(:params) do
+        {
+          variant_id: stock_location.stock_items.first.variant.to_param,
+          shipment: { order_id: order.number },
+          stock_location_id: stock_location.to_param
+        }
+      end
+
+      subject do
+        post spree.api_shipments_path, params: params
       end
 
-      it "returns the correct message" do
+      [:variant_id, :stock_location_id].each do |field|
+        context "when #{field} is missing" do
+          before do
+            params.delete(field)
+          end
+
+          it 'should return proper error' do
+            subject
+            expect(response.status).to eq(422)
+            expect(json_response['exception']).to eq("param is missing or the value is empty: #{field}")
+          end
+        end
+      end
+
+      it 'should create a new shipment' do
         subject
-        expect(response).to be_success
-        expect(parsed_response["success"]).to be true
-        expect(parsed_response["message"]).to eq("Variants successfully transferred")
+        expect(response).to be_ok
+        expect(json_response).to have_attributes(attributes)
       end
     end
 
-    context "if the source shipment can not be found" do
-      let(:stock_location_id) { 9999 }
+    it 'can update a shipment' do
+      params = {
+        shipment: {
+          stock_location_id: stock_location.to_param
+        }
+      }
 
-      it "returns a 404" do
-        subject
-        expect(response).to be_not_found
-        expect(parsed_response["error"]).to eq("The resource you were looking for could not be found.")
+      put spree.api_shipment_path(shipment), params: params
+      expect(response.status).to eq(200)
+      expect(json_response['stock_location_name']).to eq(stock_location.name)
+    end
+
+    it "can make a shipment ready" do
+      allow_any_instance_of(Spree::Order).to receive_messages(paid?: true, complete?: true)
+      put spree.ready_api_shipment_path(shipment)
+      expect(json_response).to have_attributes(attributes)
+      expect(json_response["state"]).to eq("ready")
+      expect(shipment.reload.state).to eq("ready")
+    end
+
+    it "cannot make a shipment ready if the order is unpaid" do
+      allow_any_instance_of(Spree::Order).to receive_messages(paid?: false)
+      put spree.ready_api_shipment_path(shipment)
+      expect(json_response["error"]).to eq("Cannot ready shipment.")
+      expect(response.status).to eq(422)
+    end
+
+    context 'for completed orders' do
+      let(:order) { create :completed_order_with_totals }
+      let(:shipment) { order.shipments.first }
+
+      it 'adds a variant to a shipment' do
+        put spree.add_api_shipment_path(shipment), params: { variant_id: variant.to_param, quantity: 2 }
+        expect(response.status).to eq(200)
+        expect(json_response['manifest'].detect { |h| h['variant']['id'] == variant.id }["quantity"]).to eq(2)
+      end
+
+      it 'removes a variant from a shipment' do
+        order.contents.add(variant, 2)
+
+        put spree.remove_api_shipment_path(shipment), params: { variant_id: variant.to_param, quantity: 1 }
+        expect(response.status).to eq(200)
+        expect(json_response['manifest'].detect { |h| h['variant']['id'] == variant.id }["quantity"]).to eq(1)
+      end
+
+      it 'removes a destroyed variant from a shipment' do
+        order.contents.add(variant, 2)
+        variant.destroy
+
+        put spree.remove_api_shipment_path(shipment), params: { variant_id: variant.to_param, quantity: 1 }
+        expect(response.status).to eq(200)
+        expect(json_response['manifest'].detect { |h| h['variant']['id'] == variant.id }["quantity"]).to eq(1)
       end
     end
 
-    context "if the user can not update shipments" do
-      let(:user) { create(:user, spree_api_key: 'abc123') }
+    context "for shipped shipments" do
+      let(:order) { create :shipped_order }
+      let(:shipment) { order.shipments.first }
 
-      custom_authorization! do |_|
-        can :read, Spree::Shipment
-        cannot :update, Spree::Shipment
-        can :create, Spree::Shipment
-        can :destroy, Spree::Shipment
+      it 'adds a variant to a shipment' do
+        put spree.add_api_shipment_path(shipment), params: { variant_id: variant.to_param, quantity: 2 }
+        expect(response.status).to eq(200)
+        expect(json_response['manifest'].detect { |h| h['variant']['id'] == variant.id }["quantity"]).to eq(2)
       end
 
-      it "is not authorized" do
-        subject
-        expect(response).to be_unauthorized
+      it 'cannot remove a variant from a shipment' do
+        put spree.remove_api_shipment_path(shipment), params: { variant_id: variant.to_param, quantity: 1 }
+        expect(response.status).to eq(422)
+        expect(json_response['errors']['base'].join).to match /Cannot remove items/
       end
     end
 
-    context "if the user can not destroy shipments" do
-      let(:user) { create(:user, spree_api_key: 'abc123') }
+    describe '#mine' do
+      subject do
+        get spree.mine_api_shipments_path, params: params
+      end
+
+      let(:params) { {} }
+
+      context "the current api user is authenticated and has orders" do
+        let(:current_api_user) { shipped_order.user }
+        let!(:shipped_order) { create(:shipped_order) }
+
+        it 'succeeds' do
+          subject
+          expect(response.status).to eq 200
+        end
+
+        describe 'json output' do
+          let(:rendered_shipment_ids) { json_response['shipments'].map { |s| s['id'] } }
+
+          it 'contains the shipments' do
+            subject
+            expect(rendered_shipment_ids).to match_array current_api_user.orders.flat_map(&:shipments).map(&:id)
+          end
+
+          context "credit card payment" do
+            before { subject }
+
+            it 'contains the id and cc_type of the credit card' do
+              expect(json_response['shipments'][0]['order']['payments'][0]['source'].keys).to match_array ["id", "cc_type"]
+            end
+          end
+
+          context "store credit payment" do
+            let(:current_api_user) { shipped_order.user }
+            let(:shipped_order)    { create(:shipped_order, payment_type: :store_credit_payment) }
+
+            before { subject }
+
+            it 'only contains the id of the payment source' do
+              expect(json_response['shipments'][0]['order']['payments'][0]['source'].keys).to match_array ["id"]
+            end
+          end
+        end
+
+        context 'with filtering' do
+          let(:params) { { q: { order_completed_at_not_null: 1 } } }
 
-      custom_authorization! do |_|
-        can :read, Spree::Shipment
-        can :update, Spree::Shipment
-        cannot :destroy, Spree::Shipment
-        can :create, Spree::Shipment
+          let!(:incomplete_order) { create(:order_with_line_items, user: current_api_user) }
+
+          it 'filters' do
+            subject
+            expect(assigns(:shipments).map(&:id)).to match_array current_api_user.orders.complete.flat_map(&:shipments).map(&:id)
+          end
+        end
       end
 
-      it "is not authorized" do
-        subject
-        expect(response).to be_unauthorized
+      context "the current api user does not exist" do
+        let(:current_api_user) { nil }
+
+        it "returns a 401" do
+          subject
+          expect(response.status).to eq(401)
+        end
       end
     end
   end
 
-  describe "POST /api/shipments/transfer_to_shipment" do
-    let(:stock_location) { create(:stock_location) }
-    let(:source_shipment) { order.shipments.first }
-    let(:target_shipment) { order.shipments.create(stock_location: stock_location) }
-    let(:parsed_response) { JSON.parse(response.body) }
-    let(:source_shipment_number) { source_shipment.number }
+  describe "#ship" do
+    let(:shipment) { create(:order_ready_to_ship).shipments.first }
+
+    let(:send_mailer) { nil }
 
     subject do
-      post "/api/shipments/transfer_to_shipment.json",
-        params: {
-          original_shipment_number: source_shipment_number,
-          target_shipment_number: target_shipment.number,
-          quantity: 1,
-          variant_id: variant.id,
-          token: user.spree_api_key
-        }
+      put spree.ship_api_shipment_path(shipment), params: { send_mailer: send_mailer }
+    end
+
+    context "the user is allowed to ship the shipment" do
+      sign_in_as_admin!
+      it "ships the shipment" do
+        Timecop.freeze do
+          subject
+          shipment.reload
+          expect(shipment.state).to eq 'shipped'
+          expect(shipment.shipped_at.to_i).to eq Time.current.to_i
+        end
+      end
+
+      describe 'sent emails' do
+        subject { perform_enqueued_jobs { super() } }
+
+        context "send_mailer not present" do
+          it "sends the shipped shipments mailer" do
+            expect { subject }.to change { ActionMailer::Base.deliveries.size }.by(1)
+            expect(ActionMailer::Base.deliveries.last.subject).to match /Shipment Notification/
+          end
+        end
+
+        context "send_mailer set to false" do
+          let(:send_mailer) { 'false' }
+          it "does not send the shipped shipments mailer" do
+            expect { subject }.to_not change { ActionMailer::Base.deliveries.size }
+          end
+        end
+
+        context "send_mailer set to true" do
+          let(:send_mailer) { 'true' }
+          it "sends the shipped shipments mailer" do
+            expect { subject }.to change { ActionMailer::Base.deliveries.size }.by(1)
+            expect(ActionMailer::Base.deliveries.last.subject).to match /Shipment Notification/
+          end
+        end
+      end
     end
 
-    context "for a successful transfer" do
+    context "the user is not allowed to ship the shipment" do
+      sign_in_as_admin!
+
       before do
-        stock_location.restock(variant, 1)
+        ability = Spree::Ability.new(current_api_user)
+        ability.cannot :ship, Spree::Shipment
+        allow_any_instance_of(Spree::Api::ShipmentsController).to receive(:current_ability) { ability }
+      end
+
+      it "does nothing" do
+        expect {
+          expect {
+            subject
+          }.not_to change(shipment, :state)
+        }.not_to change(shipment, :shipped_at)
       end
 
-      it "returns the correct message" do
+      it "responds with a 401" do
         subject
-        expect(response).to be_success
-        expect(parsed_response["success"]).to be true
-        expect(parsed_response["message"]).to eq("Variants successfully transferred")
+        expect(response.status).to eq 401
       end
     end
 
-    context "if the source shipment can not be found" do
-      let(:source_shipment_number) { 9999 }
+    context "the user is not allowed to view the shipment" do
+      it "does nothing" do
+        expect {
+          expect {
+            subject
+          }.not_to change(shipment, :state)
+        }.not_to change(shipment, :shipped_at)
+      end
 
-      it "returns a 404" do
+      it "responds with a 401" do
         subject
-        expect(response).to be_not_found
-        expect(parsed_response["error"]).to eq("The resource you were looking for could not be found.")
+        expect(response).to be_unauthorized
+      end
+    end
+  end
+
+  describe "transfers" do
+    let(:user) { create(:admin_user, spree_api_key: 'abc123') }
+    let(:current_api_user) { user }
+    let(:stock_item) { create(:stock_item, backorderable: false) }
+    let(:variant) { stock_item.variant }
+
+    let(:order) do
+      create(
+        :completed_order_with_totals,
+        user: user,
+        line_items_attributes: [
+          {
+            variant: variant
+          }
+        ]
+      )
+    end
+
+    let(:shipment) { order.shipments.first }
+
+    describe "POST /api/shipments/transfer_to_location" do
+      let(:stock_location) { create(:stock_location) }
+      let(:source_shipment) { order.shipments.first }
+      let(:parsed_response) { JSON.parse(response.body) }
+      let(:stock_location_id) { stock_location.id }
+
+      subject do
+        post "/api/shipments/transfer_to_location.json",
+          params: {
+            original_shipment_number: source_shipment.number,
+            stock_location_id: stock_location_id,
+            quantity: 1,
+            variant_id: variant.id,
+            token: user.spree_api_key
+          }
+      end
+
+      context "for a successful transfer" do
+        before do
+          stock_location.restock(variant, 1)
+        end
+
+        it "returns the correct message" do
+          subject
+          expect(response).to be_success
+          expect(parsed_response["success"]).to be true
+          expect(parsed_response["message"]).to eq("Variants successfully transferred")
+        end
+      end
+
+      context "if the source shipment can not be found" do
+        let(:stock_location_id) { 9999 }
+
+        it "returns a 404" do
+          subject
+          expect(response).to be_not_found
+          expect(parsed_response["error"]).to eq("The resource you were looking for could not be found.")
+        end
+      end
+
+      context "if the user can not update shipments" do
+        let(:user) { create(:user, spree_api_key: 'abc123') }
+
+        custom_authorization! do |_|
+          can :read, Spree::Shipment
+          cannot :update, Spree::Shipment
+          can :create, Spree::Shipment
+          can :destroy, Spree::Shipment
+        end
+
+        it "is not authorized" do
+          subject
+          expect(response).to be_unauthorized
+        end
+      end
+
+      context "if the user can not destroy shipments" do
+        let(:user) { create(:user, spree_api_key: 'abc123') }
+
+        custom_authorization! do |_|
+          can :read, Spree::Shipment
+          can :update, Spree::Shipment
+          cannot :destroy, Spree::Shipment
+          can :create, Spree::Shipment
+        end
+
+        it "is not authorized" do
+          subject
+          expect(response).to be_unauthorized
+        end
+      end
+    end
+
+    describe "POST /api/shipments/transfer_to_shipment" do
+      let(:stock_location) { create(:stock_location) }
+      let(:source_shipment) { order.shipments.first }
+      let(:target_shipment) { order.shipments.create(stock_location: stock_location) }
+      let(:parsed_response) { JSON.parse(response.body) }
+      let(:source_shipment_number) { source_shipment.number }
+
+      subject do
+        post "/api/shipments/transfer_to_shipment.json",
+          params: {
+            original_shipment_number: source_shipment_number,
+            target_shipment_number: target_shipment.number,
+            quantity: 1,
+            variant_id: variant.id,
+            token: user.spree_api_key
+          }
+      end
+
+      context "for a successful transfer" do
+        before do
+          stock_location.restock(variant, 1)
+        end
+
+        it "returns the correct message" do
+          subject
+          expect(response).to be_success
+          expect(parsed_response["success"]).to be true
+          expect(parsed_response["message"]).to eq("Variants successfully transferred")
+        end
+      end
+
+      context "if the source shipment can not be found" do
+        let(:source_shipment_number) { 9999 }
+
+        it "returns a 404" do
+          subject
+          expect(response).to be_not_found
+          expect(parsed_response["error"]).to eq("The resource you were looking for could not be found.")
+        end
       end
     end
   end