solidus_api 2.8.5 → 2.8.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2599ecc3468198cbb624826230a1f3f9ed602714aa449bb7035a0ab2b7ddf202
-  data.tar.gz: 4bca9448d94cb75e435cba18db8a63ee00dc73cca44491c16020c63c2736b4f5
+  metadata.gz: 04c64c177896dab37dae312ae08fd93f1c044ea416ad2ca7184dde05a5faeb5c
+  data.tar.gz: cb6b60e062b48cb68fd5e73172015877ffe3ee84ebbb58b56ee58cf5844610df
 SHA512:
-  metadata.gz: 50fb3ff7327ec8636525dee71e728f50730d36792c96717ff603e844aa4e775d9cf3fc63ed22438b5d13f23d0f6aa1bd21bbddfbfd488f8c5b1f575c4ad058c1
-  data.tar.gz: 75aa7aab776b16f883ef76eb45d421f3c1766eeff1f6a213376b086de69ce3af75950e2ffed0a177f20b66945b9ba05e53aca86eae0fa6d4c54db0b91a546676
+  metadata.gz: c2d2e3c4df97047d23b464b722bc32d6efee403aba8f80891d31e896e15ccfd050a419329855209e31843cfc19283661cd6845857320d989edf718a6455a3223
+  data.tar.gz: 521dc0e421fda8eb0bc9ef9dc7f029800bca98bae82889dee2cabe4a8d242341a285e528db58eed8613d41f5648fe0910f9593ad5505071a475f6cec7bab36c6

data/app/controllers/spree/api/checkouts_controller.rb

@@ -76,11 +76,24 @@ module Spree
       end
 
       def update_params
-        if update_params = massaged_params[:order]
-          update_params.permit(permitted_checkout_attributes)
+        state = @order.state
+        case state.to_sym
+        when :cart, :address
+          massaged_params.fetch(:order, {}).permit(
+            permitted_checkout_address_attributes
+          )
+        when :delivery
+          massaged_params.require(:order).permit(
+            permitted_checkout_delivery_attributes
+          )
+        when :payment
+          massaged_params.require(:order).permit(
+            permitted_checkout_payment_attributes
+          )
         else
-          # We current allow update requests without any parameters in them.
-          {}
+          massaged_params.fetch(:order, {}).permit(
+            permitted_checkout_confirm_attributes
+          )
         end
       end
 

data/app/controllers/spree/api/orders_controller.rb

@@ -128,7 +128,13 @@ module Spree
       end
 
       def normalize_params
-        params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
+        if params[:order][:payments]
+          payments_params = params[:order].delete(:payments)
+          params[:order][:payments_attributes] = payments_params.map do |payment_params|
+            payment_params[:source_attributes] = payment_params.delete(:source) if payment_params[:source].present?
+            payment_params
+          end
+        end
         params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
         params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
         params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address].present?

data/spec/requests/spree/api/checkouts_controller_spec.rb

@@ -176,6 +176,7 @@ module Spree
       end
 
       describe 'setting the payment amount' do
+        let(:order) { create(:order_with_line_items, state: :payment) }
         let(:params) do
           {
             order_token: order.guest_token,
@@ -326,17 +327,44 @@ module Spree
         end
       end
 
+      it "cannot update attributes of another step" do
+        order.update_column(:state, "payment")
+
+        params = {
+          order_token: order.guest_token,
+          order: {
+            payments_attributes: [
+              {
+                payment_method_id: @payment_method.id.to_s,
+                source_attributes: attributes_for(:credit_card)
+              }
+            ],
+            ship_address_attributes: {
+              zipcode: 'MALICIOUS ZIPCODE'
+            }
+          }
+        }
+        expect do
+          put spree.api_checkout_path(order), params: params
+        end.not_to change { order.reload.ship_address.zipcode }
+        expect(response.status).to eq(200)
+      end
+
       it "returns the order if the order is already complete" do
         order.update_columns(completed_at: Time.current, state: 'complete')
         put spree.api_checkout_path(order.to_param), params: { order_token: order.guest_token }
         assert_unauthorized!
       end
 
-      # Regression test for https://github.com/spree/spree/issues/3784
-      it "can update the special instructions for an order" do
-        instructions = "Don't drop it. (Please)"
-        put spree.api_checkout_path(order.to_param), params: { order_token: order.guest_token, order: { special_instructions: instructions } }
-        expect(json_response['special_instructions']).to eql(instructions)
+      context "in delivery state" do
+        let(:order) { create(:order_with_line_items, state: :delivery) }
+
+        # Regression test for https://github.com/spree/spree/issues/3784
+        it "can update the special instructions for an order" do
+          instructions = "Don't drop it. (Please)"
+          put spree.api_checkout_path(order.to_param), params: { order_token: order.guest_token, order: { special_instructions: instructions } }
+          expect(json_response['special_instructions']).to eql(instructions)
+        end
       end
 
       context "as an admin" do

data/spec/requests/spree/api/orders_controller_spec.rb

@@ -156,6 +156,7 @@ module Spree
         end
 
         context 'creating payment' do
+          let!(:order) { create(:order_with_line_items) }
           let(:order_params) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
 
           context "with allowed payment method" do
@@ -166,6 +167,28 @@ module Spree
                 subject
               }.to change { Spree::Payment.count }.by(1)
             end
+
+            context 'trying to change the address' do
+              let(:order_params) do
+                super().merge(
+                  ship_address_attributes: {
+                    zipcode: '90100'
+                  }
+                )
+              end
+
+              it 'changes the address' do
+                expect {
+                  subject
+                }.to change { order.reload.ship_address.zipcode }
+              end
+
+              it 'invalidates the shipments' do
+                expect {
+                  subject
+                }.to change { order.reload.shipments }.to([])
+              end
+            end
           end
 
           context "with disallowed payment method" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_api
 version: !ruby/object:Gem::Version
-  version: 2.8.5
+  version: 2.8.6
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-23 00:00:00.000000000 Z
+date: 2020-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jbuilder
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.8.5
+        version: 2.8.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.8.5
+        version: 2.8.6
 description: REST API for the Solidus e-commerce framework.
 email: contact@solidus.io
 executables: []
@@ -309,7 +309,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.23
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: REST API for the Solidus e-commerce framework.