solidus_api 1.1.3 → 1.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 394a61f0e6117b0a5947ad8eb3b2735e21464efc
-  data.tar.gz: 16dd5627220909ab583fb2d2fb09461e83a0a3b8
+  metadata.gz: d2c2d5dcacdd54bff2af4a9f0c95267b946ef5ca
+  data.tar.gz: d408a4edde689abcf77a6d0c1997ae15134f7a37
 SHA512:
-  metadata.gz: cb6c122cb20ea6b9f2fb895bd94320b3fd3d0bb55e88c64c4f50990af3c0f73a5abe0c25eef5024df41a9336319813b11f1ca498c9f3ce921f0d103b93ad1d80
-  data.tar.gz: cd8a32d4a418a372fdfbee6bb0b7c07e3dd360810d5325811ddd9592e0258904e0482f14b5cf7c04fad3c92c3b9dc2d05777213b066764388cbebaaff2c7e3be
+  metadata.gz: 1be4bc3ad33669bd7ded7960bc68b2444230ced8dc3998f53a7344663a8c360a16c710a189ccf2544b05be5ddf96ea72f26fb5dc0edf39f4749164fa6fe2a27a
+  data.tar.gz: 9f0ec8af96cb1f98d4adf442cb5984ca66226b2bb604ab552f7d525a3c055abb6e2e9daf080fdaefd7b6e62d02f81642b41baeee056b847285c874379dbf86cb

data/app/controllers/spree/api/base_controller.rb

@@ -151,7 +151,7 @@ module Spree
       end
 
       def lock_order
-        OrderMutex.with_lock!(@order) { yield }
+        Spree::OrderMutex.with_lock!(@order) { yield }
       rescue Spree::OrderMutex::LockFailed => e
         render text: e.message, status: 409
       end

data/app/controllers/spree/api/orders_controller.rb

@@ -28,14 +28,23 @@ module Spree
       def create
         authorize! :create, Order
 
-        order_user = if order_params[:user_id]
-          Spree.user_class.find(order_params[:user_id])
+        if can?(:admin, Order)
+          order_user = if order_params[:user_id]
+            Spree.user_class.find(order_params[:user_id])
+          else
+            current_api_user
+          end
+
+          @order = Spree::Core::Importer::Order.import(order_user, order_params)
+          respond_with(@order, default_template: :show, status: 201)
         else
-          current_api_user
+          @order = Spree::Order.create!(user: current_api_user, store: current_store)
+          if @order.contents.update_cart(order_params)
+            respond_with(@order, default_template: :show, status: 201)
+          else
+            invalid_resource!(@order)
+          end
         end
-
-        @order = Spree::Core::Importer::Order.import(order_user, order_params)
-        respond_with(@order, default_template: :show, status: 201)
       end
 
       def empty

data/app/controllers/spree/api/payments_controller.rb

@@ -17,6 +17,7 @@ module Spree
       end
 
       def create
+        @order.validate_payments_attributes(payment_params)
         @payment = @order.payments.build(payment_params)
         if @payment.save
           respond_with(@payment, status: 201, default_template: :show)

data/spec/controllers/spree/api/checkouts_controller_spec.rb

@@ -163,6 +163,19 @@ module Spree
         expect(response.status).to eq(200)
       end
 
+      context "with disallowed payment method" do
+        it "returns not found" do
+          order.update_column(:state, "payment")
+          allow_any_instance_of(Spree::Gateway::Bogus).to receive(:source_required?).and_return(false)
+          @payment_method.update!(display_on: "back_end")
+          expect {
+            api_put :update, id: order.to_param, order_token: order.guest_token, order: { payments_attributes: [{ payment_method_id: @payment_method.id }] }
+          }.not_to change { Spree::Payment.count }
+          expect(response.status).to eq(404)
+        end
+      end
+
+
       it "returns errors when source is required and missing" do
         order.update_column(:state, "payment")
         api_put :update, :id => order.to_param, :order_token => order.guest_token,

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -29,46 +29,62 @@ module Spree
 
     describe "POST create" do
       let(:target_user) { create :user }
-      let(:date_override) { 3.days.ago }
+      let(:date_override) { Time.parse('2015-01-01') }
+      let(:attributes) { { user_id: target_user.id, created_at: date_override, email: target_user.email } }
 
-      before do
-        allow_any_instance_of(Spree::Ability).to receive(:can?).
-          and_return(true)
-
-        allow_any_instance_of(Spree::Ability).to receive(:can?).
-          with(:admin, Spree::Order).
-          and_return(can_admin)
-
-        allow(Spree.user_class).to receive(:find).
-          with(target_user.id).
-          and_return(target_user)
-      end
-
-      subject { api_post :create, order: { user_id: target_user.id, created_at: date_override, email: target_user.email } }
+      subject { api_post :create, order: attributes }
 
       context "when the current user cannot administrate the order" do
-        let(:can_admin) { false }
+        stub_authorization! do |_|
+          can :create, Spree::Order
+        end
 
         it "does not include unpermitted params, or allow overriding the user", focus: true do
-          expect(Spree::Core::Importer::Order).to receive(:import).
-            once.
-            with(current_api_user, { "email" => target_user.email }).
-            and_call_original
           subject
+          expect(response).to be_success
+          order = Spree::Order.last
+          expect(order.user).to eq current_api_user
+          expect(order.email).to eq target_user.email
         end
 
         it { is_expected.to be_success }
+
+        context 'creating payment' do
+          let(:attributes) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
+
+          context "with allowed payment method" do
+            let!(:payment_method) { create(:check_payment_method, name: "allowed" ) }
+            it { is_expected.to be_success }
+            it "creates a payment" do
+              expect {
+                subject
+              }.to change { Spree::Payment.count }.by(1)
+            end
+          end
+
+          context "with disallowed payment method" do
+            let!(:payment_method) { create(:check_payment_method, name: "forbidden", display_on: "back_end") }
+            it { is_expected.to be_not_found }
+            it "creates no payments" do
+              expect {
+                subject
+              }.not_to change { Spree::Payment.count }
+            end
+          end
+        end
       end
 
       context "when the current user can administrate the order" do
-        let(:can_admin) { true }
+        stub_authorization! do |_|
+          can [:admin, :create], Spree::Order
+        end
 
         it "it permits all params and allows overriding the user" do
-          expect(Spree::Core::Importer::Order).to receive(:import).
-            once.
-            with(target_user, { "user_id" => target_user.id, "created_at" => date_override, "email" => target_user.email}).
-            and_call_original
           subject
+          order = Spree::Order.last
+          expect(order.user).to eq target_user
+          expect(order.email).to eq target_user.email
+          expect(order.created_at).to eq date_override
         end
 
         it { is_expected.to be_success }
@@ -81,41 +97,65 @@ module Spree
       let(:can_admin) { false }
       subject { api_put :update, id: order.to_param, order: order_params }
 
-      before do
-        allow_any_instance_of(Spree::Ability).to receive(:can?).
-          and_return(true)
+      context "when the user cannot administer the order" do
+        stub_authorization! do |_|
+          can [:update], Spree::Order
+        end
 
-        allow(Spree::Order).to receive(:find_by!).
-          with(number: order.number).
-          and_return(order)
+        it "updates the user's email" do
+          expect {
+            subject
+          }.to change { order.reload.email }.to("foo@foobar.com")
+        end
 
-        allow(Spree.user_class).to receive(:find).
-          with(user.id).
-          and_return(user)
+        it { is_expected.to be_success }
 
-        allow_any_instance_of(Spree::Ability).to receive(:can?).
-          with(:admin, Spree::Order).
-          and_return(can_admin)
-      end
+        it "does not associate users" do
+          expect {
+            subject
+          }.not_to change { order.reload.user }
+        end
 
-      it "updates the cart contents" do
-        expect(order.contents).to receive(:update_cart).
-          once.
-          with({"email" => "foo@foobar.com"})
-        subject
-      end
+        it "does not change forbidden attributes" do
+          expect {
+            subject
+          }.to_not change{ order.reload.number }
+        end
+
+        context 'creating payment' do
+          let(:order_params) { super().merge(payments_attributes: [{ payment_method_id: payment_method.id }]) }
+
+          context "with allowed payment method" do
+            let!(:payment_method) { create(:check_payment_method, name: "allowed" ) }
+            it { is_expected.to be_success }
+            it "creates a payment" do
+              expect {
+                subject
+              }.to change { Spree::Payment.count }.by(1)
+            end
+          end
 
-      it { is_expected.to be_success }
+          context "with disallowed payment method" do
+            let!(:payment_method) { create(:check_payment_method, name: "forbidden", display_on: "back_end") }
+            it { is_expected.to be_not_found }
+            it "creates no payments" do
+              expect {
+                subject
+              }.not_to change { Spree::Payment.count }
+            end
+          end
+        end
+      end
 
       context "when the user can administer the order" do
-        let(:can_admin) { true }
+        stub_authorization! do |_|
+          can [:admin, :update], Spree::Order
+        end
 
         it "will associate users" do
-          expect(order).to receive(:associate_user!).
-            once.
-            with(user)
-
-          subject
+          expect {
+            subject
+          }.to change { order.reload.user }.to(user)
         end
 
         it "updates the otherwise forbidden attributes" do
@@ -123,17 +163,6 @@ module Spree
             to("anothernumber")
         end
       end
-
-      context "when the user cannot administer the order" do
-        it "does not associate users" do
-          expect(order).to_not receive(:associate_user!)
-          subject
-        end
-
-        it "does not change forbidden attributes" do
-          expect{subject}.to_not change{order.reload.number}
-        end
-      end
     end
 
     it "cannot view all orders" do
@@ -352,16 +381,13 @@ module Spree
 
     # Regression test for #3404
     it "can specify additional parameters for a line item" do
-      expect(Order).to receive(:create!).and_return(order = Spree::Order.new)
-      allow(order).to receive(:associate_user!)
-      allow(order).to receive_message_chain(:contents, :add).and_return(line_item = double('LineItem'))
-      expect(line_item).to receive(:update_attributes!).with("special" => true)
+      expect_any_instance_of(Spree::LineItem).to receive(:special=).with("foo")
 
       allow(controller).to receive_messages(permitted_line_item_attributes: [:id, :variant_id, :quantity, :special])
       api_post :create, :order => {
         :line_items => {
           "0" => {
-            :variant_id => variant.to_param, :quantity => 5, :special => true
+            variant_id: variant.to_param, quantity: 5, special: "foo"
           }
         }
       }

data/spec/controllers/spree/api/payments_controller_spec.rb

@@ -43,6 +43,17 @@ module Spree
             expect(response.status).to eq(201)
             expect(json_response).to have_attributes(attributes)
           end
+
+          context "disallowed payment method" do
+            it "does not create a new payment" do
+              PaymentMethod.first.update!(display_on: "back_end")
+
+              expect {
+                api_post :create, payment: { payment_method_id: PaymentMethod.first.id, amount: 50 }
+              }.not_to change { Spree::Payment.count }
+              expect(response.status).to eq(404)
+            end
+          end
         end
 
         context "payment source is required" do

data/spec/spec_helper.rb

@@ -30,6 +30,7 @@ Dir[File.dirname(__FILE__) + "/support/**/*.rb"].each {|f| require f}
 
 require 'spree/testing_support/factories'
 require 'spree/testing_support/preferences'
+require 'spree/testing_support/authorization_helpers'
 
 require 'spree/api/testing_support/caching'
 require 'spree/api/testing_support/helpers'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_api
 version: !ruby/object:Gem::Version
-  version: 1.1.3
+  version: 1.1.4
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-23 00:00:00.000000000 Z
+date: 2017-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 1.1.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 1.1.4
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement
@@ -284,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: REST API for the Solidus e-commerce framework.
@@ -339,4 +339,3 @@ test_files:
 - spec/test_views/spree/api/widgets/index.v1.rabl
 - spec/test_views/spree/api/widgets/new.v1.rabl
 - spec/test_views/spree/api/widgets/show.v1.rabl
-has_rdoc: