spree_api 1.2.0 → 1.2.2

data/spec/controllers/spree/api/v1/payments_controller_spec.rb

@@ -2,10 +2,11 @@ require 'spec_helper'
 
 module Spree
   describe Spree::Api::V1::PaymentsController do
+    render_views
     let!(:order) { create(:order) }
     let!(:payment) { create(:payment, :order => order) }
     let!(:attributes) { [:id, :source_type, :source_id, :amount,
-                         :payment_method_id, :response_code, :state, :avs_response, 
+                         :payment_method_id, :response_code, :state, :avs_response,
                          :created_at, :updated_at] }
 
     let(:resource_scoping) { { :order_id => order.to_param } }
@@ -21,7 +22,7 @@ module Spree
 
         it "can view the payments for their order" do
           api_get :index
-          json_response.first.should have_attributes(attributes)
+          json_response["payments"].first.should have_attributes(attributes)
         end
 
         it "can learn how to create a new payment" do
@@ -66,7 +67,29 @@ module Spree
       it "can view the payments on any order" do
         api_get :index
         response.status.should == 200
-        json_response.first.should have_attributes(attributes)
+        json_response["payments"].first.should have_attributes(attributes)
+      end
+
+      context "multiple payments" do
+        before { @payment = create(:payment, :order => order, :response_code => '99999') }
+
+        it "can view all payments on an order" do
+          api_get :index
+          json_response["count"].should == 2
+        end
+
+        it 'can control the page size through a parameter' do
+          api_get :index, :per_page => 1
+          json_response['count'].should == 1
+          json_response['current_page'].should == 1
+          json_response['pages'].should == 2
+        end
+
+        it 'can query the results through a paramter' do
+          api_get :index, :q => { :response_code_cont => '999' }
+          json_response['count'].should == 1
+          json_response['payments'].first['payment']['response_code'].should eq @payment.response_code
+        end
       end
 
       context "for a given payment" do
@@ -88,6 +111,24 @@ module Spree
           payment.state.should == "failed"
         end
 
+        it "can capture" do
+          api_put :capture, :id => payment.to_param
+          response.status.should == 200
+          payment.reload
+          payment.state.should == "completed"
+        end
+
+        it "returns a 422 status when purchasing fails" do
+          fake_response = stub(:success? => false, :to_s => "Insufficient funds")
+          Spree::Gateway::Bogus.any_instance.should_receive(:capture).and_return(fake_response)
+          api_put :capture, :id => payment.to_param
+          response.status.should == 422
+          json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
+
+          payment.reload
+          payment.state.should == "pending"
+        end
+
         it "can purchase" do
           api_put :purchase, :id => payment.to_param
           response.status.should == 200

data/spec/controllers/spree/api/v1/product_properties_controller_spec.rb

@@ -0,0 +1,117 @@
+require 'spec_helper'
+require 'shared_examples/protect_product_actions'
+
+module Spree
+  describe Spree::Api::V1::ProductPropertiesController do
+    render_views
+
+    let!(:product) { create(:product) }
+    let!(:property_1) {product.product_properties.create(:property_name => "My Property 1", :value => "my value 1")}
+    let!(:property_2) {product.product_properties.create(:property_name => "My Property 2", :value => "my value 2")}
+
+    let(:attributes) { [:id, :product_id, :property_id, :value, :property_name] }
+    let(:resource_scoping) { { :product_id => product.to_param } }
+
+    before do
+      stub_authentication!
+    end
+
+    context "if product is deleted" do
+      before do
+        product.update_column(:deleted_at, Time.now)
+      end
+
+      it "can not see a list of product properties" do
+        api_get :index
+        response.status.should == 404
+      end
+    end
+
+    it "can see a list of all product properties" do
+      api_get :index
+      json_response["product_properties"].count.should eq 2
+      json_response["product_properties"].first.should have_attributes(attributes)
+    end
+
+    it "can control the page size through a parameter" do
+      api_get :index, :per_page => 1
+      json_response['product_properties'].count.should == 1
+      json_response['current_page'].should == 1
+      json_response['pages'].should == 2
+    end
+
+    it 'can query the results through a paramter' do
+      Spree::ProductProperty.last.update_attribute(:value, 'loose')
+      property = Spree::ProductProperty.last
+      api_get :index, :q => { :value_cont => 'loose' }
+      json_response['count'].should == 1
+      json_response['product_properties'].first['product_property']['value'].should eq property.value
+    end
+
+    it "can see a single product_property" do
+      api_get :show, :id => property_1.property_name
+      json_response.should have_attributes(attributes)
+    end
+
+    it "can learn how to create a new product property" do
+      api_get :new
+      json_response["attributes"].should == attributes.map(&:to_s)
+      json_response["required_attributes"].should be_empty
+    end
+
+    it "cannot create a new product property if not an admin" do
+      api_post :create, :product_property => { :property_name => "My Property 3" }
+      assert_unauthorized!
+    end
+
+    it "cannot update a product property" do
+      api_put :update, :id => property_1.property_name, :product_property => { :value => "my value 456" }
+      assert_unauthorized!
+    end
+
+    it "cannot delete a product property" do
+      api_delete :destroy, :property_name => property_1.property_name
+      assert_unauthorized!
+      lambda { property_1.reload }.should_not raise_error
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+
+      it "can create a new product property" do
+        expect do
+          api_post :create, :product_property => { :property_name => "My Property 3", :value => "my value 3" }
+        end.to change(product.product_properties, :count).by(1)
+        json_response.should have_attributes(attributes)
+        response.status.should == 201
+      end
+
+      it "can update a product property" do
+        api_put :update, :id => property_1.property_name, :product_property => { :value => "my value 456" }
+        response.status.should == 200
+      end
+
+      it "can delete a variant" do
+        api_delete :destroy, :id => property_1.property_name
+        response.status.should == 204
+        lambda { property_1.reload }.should raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
+    context "with product identified by id" do
+      let(:resource_scoping) { { :product_id => product.id } }
+      it "can see a list of all product properties" do
+        api_get :index
+        json_response["product_properties"].count.should eq 2
+        json_response["product_properties"].first.should have_attributes(attributes)
+      end
+
+      it "can see a single product_property by id" do
+        api_get :show, :id => property_1.id
+        json_response.count.should eq 1
+        json_response.should have_attributes(attributes)
+      end
+    end
+
+  end
+end

data/spec/controllers/spree/api/v1/products_controller_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'shared_examples/protect_product_actions'
 
 module Spree
   describe Spree::Api::V1::ProductsController do
@@ -33,15 +34,24 @@ module Spree
           second_product = create(:product)
           api_get :index, :page => 2
           json_response["products"].first.should have_attributes(attributes)
-          json_response["count"].should == 2
+          json_response["total_count"].should == 2
           json_response["current_page"].should == 2
           json_response["pages"].should == 2
         end
+
+        it 'can control the page size through a parameter' do
+          create(:product)
+          api_get :index, :per_page => 1
+          json_response['count'].should == 1
+          json_response['total_count'].should == 2
+          json_response['current_page'].should == 1
+          json_response['pages'].should == 2
+        end
       end
 
       it "can search for products" do
         create(:product, :name => "The best product in the world")
-        api_get :search, :q => { :name_cont => "best" }
+        api_get :index, :q => { :name_cont => "best" }
         json_response["products"].first.should have_attributes(attributes)
         json_response["count"].should == 1
       end
@@ -105,20 +115,7 @@ module Spree
         required_attributes.should include("price")
       end
 
-      it "cannot create a new product if not an admin" do
-        api_post :create, :product => { :name => "Brand new product!" }
-        assert_unauthorized!
-      end
-
-      it "cannot update a product" do
-        api_put :update, :id => product.to_param, :product => { :name => "I hacked your store!" }
-        assert_unauthorized!
-      end
-
-      it "cannot delete a product" do
-        api_delete :destroy, :id => product.to_param
-        assert_unauthorized!
-      end
+      it_behaves_like "modifying product actions are restricted"
     end
 
     context "as an admin" do
@@ -156,6 +153,25 @@ module Spree
         response.status.should == 201
       end
 
+      # Regression test for #2140
+      context "with authentication_required set to false" do
+        before do
+          Spree::Api::Config.requires_authentication = false
+        end
+
+        after do
+          Spree::Api::Config.requires_authentication = true
+        end
+
+        it "can still create a product" do
+          api_post :create, :product => { :name => "The Other Product",
+                                          :price => 19.99 },
+                            :token => "fake"
+          json_response.should have_attributes(attributes)
+          response.status.should == 201
+        end
+      end
+
       it "cannot create a new product with invalid attributes" do
         api_post :create, :product => {}
         response.status.should == 422
@@ -180,7 +196,7 @@ module Spree
       it "can delete a product" do
         product.deleted_at.should be_nil
         api_delete :destroy, :id => product.to_param
-        response.status.should == 200
+        response.status.should == 204
         product.reload.deleted_at.should_not be_nil
       end
     end

data/spec/controllers/spree/api/v1/return_authorizations_controller_spec.rb

@@ -0,0 +1,155 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::V1::ReturnAuthorizationsController do
+    render_views
+
+    let!(:order) do
+     order = create(:order)
+     order.line_items << create(:line_item)
+     order.shipments << create(:shipment, :state => 'shipped')
+     order.finalize!
+     order.shipments.each(&:ready!)
+     order.shipments.each(&:ship!)
+     order
+    end
+
+    let(:product) { create(:product) }
+    let(:attributes) { [:id, :reason, :amount, :state] }
+    let(:resource_scoping) { { :order_id => order.to_param } }
+
+    before do
+      stub_authentication!
+    end
+
+    context "as the order owner" do
+      before do
+        Order.any_instance.stub :user => current_api_user
+      end
+
+      it "cannot see any return authorizations" do
+        api_get :index
+        assert_unauthorized!
+      end
+
+      it "cannot see a single return authorization" do
+        api_get :show, :id => 1
+        assert_unauthorized!
+      end
+
+      it "cannot learn how to create a new return authorization" do
+        api_get :new
+        assert_unauthorized!
+      end
+
+      it "cannot create a new return authorization" do
+        api_post :create
+        assert_unauthorized!
+      end
+
+      it "cannot update a return authorization" do
+        api_put :update
+        assert_unauthorized!
+      end
+
+      it "cannot delete a return authorization" do
+        api_delete :destroy
+        assert_unauthorized!
+      end
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+
+      it "can show return authorization" do
+        order.return_authorizations << create(:return_authorization)
+        return_authorization = order.return_authorizations.first
+        api_get :show, :order_id => order.id, :id => return_authorization.id
+        response.status.should == 200
+        json_response.should have_attributes(attributes)
+        json_response["return_authorization"]["state"].should_not be_blank
+      end
+
+      it "can get a list of return authorizations" do
+        order.return_authorizations << create(:return_authorization)
+        order.return_authorizations << create(:return_authorization)
+        api_get :index, { :order_id => order.id }
+        response.status.should == 200
+        return_authorizations = json_response["return_authorizations"]
+        return_authorizations.first.should have_attributes(attributes)
+        return_authorizations.first.should_not == return_authorizations.last
+      end
+
+      it 'can control the page size through a parameter' do
+        order.return_authorizations << create(:return_authorization)
+        order.return_authorizations << create(:return_authorization)
+        api_get :index, :order_id => order.id, :per_page => 1
+        json_response['count'].should == 1
+        json_response['current_page'].should == 1
+        json_response['pages'].should == 2
+      end
+
+      it 'can query the results through a paramter' do
+        order.return_authorizations << create(:return_authorization)
+        expected_result = create(:return_authorization, :reason => 'damaged')
+        order.return_authorizations << expected_result
+        api_get :index, :q => { :reason_cont => 'damage' }
+        json_response['count'].should == 1
+        json_response['return_authorizations'].first['return_authorization']['reason'].should eq expected_result.reason
+      end
+
+      it "can learn how to create a new return authorization" do
+        api_get :new
+        json_response["attributes"].should == ["id", "number", "state", "amount", "order_id", "reason", "created_at", "updated_at"]
+        required_attributes = json_response["required_attributes"]
+        required_attributes.should include("order")
+      end
+
+      it "can update a return authorization on the order" do
+        order.return_authorizations << create(:return_authorization)
+        return_authorization = order.return_authorizations.first
+        api_put :update, :id => return_authorization.id, :return_authorization => { :amount => 19.99 }
+        response.status.should == 200
+        json_response.should have_attributes(attributes)
+      end
+
+      it "can delete a return authorization on the order" do
+        order.return_authorizations << create(:return_authorization)
+        return_authorization = order.return_authorizations.first
+        api_delete :destroy, :id => return_authorization.id
+        response.status.should == 204
+        lambda { return_authorization.reload }.should raise_error(ActiveRecord::RecordNotFound)
+      end
+
+      it "can add a new return authorization to an existing order" do
+        api_post :create, :return_autorization => { :order_id => order.id, :amount => 14.22, :reason => "Defective" }
+        response.status.should == 201
+        json_response.should have_attributes(attributes)
+        json_response["return_authorization"]["state"].should_not be_blank
+      end
+    end
+
+    context "as just another user" do
+      it "cannot add a return authorization to the order" do
+        api_post :create, :return_autorization => { :order_id => order.id, :amount => 14.22, :reason => "Defective" }
+        assert_unauthorized!
+      end
+
+      it "cannot update a return authorization on the order" do
+        order.return_authorizations << create(:return_authorization)
+        return_authorization = order.return_authorizations.first
+        api_put :update, :id => return_authorization.id, :return_authorization => { :amount => 19.99 }
+        assert_unauthorized!
+        return_authorization.reload.amount.should_not == 19.99
+      end
+
+      it "cannot delete a return authorization on the order" do
+        order.return_authorizations << create(:return_authorization)
+        return_authorization = order.return_authorizations.first
+        api_delete :destroy, :id => return_authorization.id
+        assert_unauthorized!
+        lambda { return_authorization.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+  end
+end

data/spec/controllers/spree/api/v1/shipments_controller_spec.rb

@@ -1,16 +1,31 @@
 require 'spec_helper'
 
 describe Spree::Api::V1::ShipmentsController do
+  render_views
   let!(:shipment) { create(:shipment) }
   let!(:attributes) { [:id, :tracking, :number, :cost, :shipped_at] }
 
   before do
-    Spree::Order.any_instance.stub(:paid? => true)
+    Spree::Order.any_instance.stub(:paid? => true, :complete? => true)
     stub_authentication!
   end
 
-  context "working with a shipment" do
-    let!(:resource_scoping) { { :order_id => shipment.order.to_param, :id => shipment.to_param } }
+  let!(:resource_scoping) { { :order_id => shipment.order.to_param, :id => shipment.to_param } }
+
+  context "as a non-admin" do
+    it "cannot make a shipment ready" do
+      api_put :ready
+      assert_unauthorized!
+    end
+
+    it "cannot make a shipment shipped" do
+      api_put :ship
+      assert_unauthorized!
+    end
+  end
+
+  context "as an admin" do
+    sign_in_as_admin!
 
     it "can make a shipment ready" do
       api_put :ready