spree_api 2.0.13 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (81) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +99 -1
  3. data/app/controllers/spree/api/addresses_controller.rb +5 -2
  4. data/app/controllers/spree/api/base_controller.rb +14 -21
  5. data/app/controllers/spree/api/checkouts_controller.rb +30 -27
  6. data/app/controllers/spree/api/config_controller.rb +6 -0
  7. data/app/controllers/spree/api/countries_controller.rb +7 -7
  8. data/app/controllers/spree/api/images_controller.rb +10 -8
  9. data/app/controllers/spree/api/inventory_units_controller.rb +7 -4
  10. data/app/controllers/spree/api/line_items_controller.rb +14 -14
  11. data/app/controllers/spree/api/option_types_controller.rb +14 -11
  12. data/app/controllers/spree/api/option_values_controller.rb +13 -11
  13. data/app/controllers/spree/api/orders_controller.rb +56 -53
  14. data/app/controllers/spree/api/payments_controller.rb +25 -33
  15. data/app/controllers/spree/api/product_properties_controller.rb +20 -13
  16. data/app/controllers/spree/api/products_controller.rb +11 -58
  17. data/app/controllers/spree/api/properties_controller.rb +19 -16
  18. data/app/controllers/spree/api/return_authorizations_controller.rb +30 -25
  19. data/app/controllers/spree/api/shipments_controller.rb +24 -19
  20. data/app/controllers/spree/api/states_controller.rb +9 -7
  21. data/app/controllers/spree/api/stock_items_controller.rb +9 -11
  22. data/app/controllers/spree/api/stock_locations_controller.rb +9 -7
  23. data/app/controllers/spree/api/stock_movements_controller.rb +7 -5
  24. data/app/controllers/spree/api/taxonomies_controller.rb +14 -8
  25. data/app/controllers/spree/api/taxons_controller.rb +25 -20
  26. data/app/controllers/spree/api/users_controller.rb +7 -5
  27. data/app/controllers/spree/api/variants_controller.rb +35 -33
  28. data/app/controllers/spree/api/zones_controller.rb +18 -17
  29. data/app/helpers/spree/api/api_helpers.rb +7 -6
  30. data/app/models/spree/option_value_decorator.rb +0 -4
  31. data/app/models/spree/order_decorator.rb +33 -54
  32. data/app/views/spree/api/adjustments/show.v1.rabl +2 -1
  33. data/app/views/spree/api/config/money.v1.rabl +6 -0
  34. data/app/views/spree/api/config/show.v1.rabl +2 -0
  35. data/app/views/spree/api/images/show.v1.rabl +0 -1
  36. data/app/views/spree/api/line_items/show.v1.rabl +3 -0
  37. data/app/views/spree/api/orders/index.v1.rabl +1 -1
  38. data/app/views/spree/api/orders/order.v1.rabl +6 -0
  39. data/app/views/spree/api/orders/payment.v1.rabl +1 -1
  40. data/app/views/spree/api/orders/show.v1.rabl +1 -1
  41. data/app/views/spree/api/payments/credit_over_limit.v1.rabl +1 -1
  42. data/app/views/spree/api/payments/new.v1.rabl +1 -0
  43. data/app/views/spree/api/products/index.v1.rabl +2 -2
  44. data/app/views/spree/api/products/show.v1.rabl +1 -0
  45. data/app/views/spree/api/shipments/show.v1.rabl +22 -5
  46. data/app/views/spree/api/shipping_rates/show.v1.rabl +2 -0
  47. data/app/views/spree/api/taxons/index.v1.rabl +2 -4
  48. data/app/views/spree/api/variants/index.v1.rabl +1 -1
  49. data/config/locales/en.yml +1 -3
  50. data/config/routes.rb +4 -1
  51. data/lib/spree/api/responders/rabl_template.rb +1 -1
  52. data/lib/spree/api/testing_support/helpers.rb +5 -0
  53. data/spec/controllers/spree/api/addresses_controller_spec.rb +2 -2
  54. data/spec/controllers/spree/api/checkouts_controller_spec.rb +32 -22
  55. data/spec/controllers/spree/api/config_controller_spec.rb +27 -0
  56. data/spec/controllers/spree/api/images_controller_spec.rb +2 -2
  57. data/spec/controllers/spree/api/inventory_units_controller_spec.rb +28 -24
  58. data/spec/controllers/spree/api/line_items_controller_spec.rb +25 -27
  59. data/spec/controllers/spree/api/option_types_controller_spec.rb +2 -2
  60. data/spec/controllers/spree/api/option_values_controller_spec.rb +2 -2
  61. data/spec/controllers/spree/api/orders_controller_spec.rb +130 -119
  62. data/spec/controllers/spree/api/payments_controller_spec.rb +77 -118
  63. data/spec/controllers/spree/api/products_controller_spec.rb +13 -143
  64. data/spec/controllers/spree/api/return_authorizations_controller_spec.rb +4 -19
  65. data/spec/controllers/spree/api/shipments_controller_spec.rb +3 -3
  66. data/spec/controllers/spree/api/states_controller_spec.rb +1 -1
  67. data/spec/controllers/spree/api/stock_items_controller_spec.rb +26 -62
  68. data/spec/controllers/spree/api/stock_locations_controller_spec.rb +29 -56
  69. data/spec/controllers/spree/api/stock_movements_controller_spec.rb +27 -51
  70. data/spec/controllers/spree/api/taxons_controller_spec.rb +18 -48
  71. data/spec/controllers/spree/api/users_controller_spec.rb +4 -6
  72. data/spec/controllers/spree/api/variants_controller_spec.rb +21 -38
  73. data/spec/controllers/spree/api/zones_controller_spec.rb +2 -2
  74. data/spec/models/spree/order_spec.rb +19 -111
  75. data/spec/spec_helper.rb +2 -26
  76. data/spec/support/controller_hacks.rb +1 -1
  77. data/spree_api.gemspec +1 -1
  78. metadata +19 -15
  79. data/app/models/spree/line_item_decorator.rb +0 -3
  80. data/app/views/spree/api/payments/update_forbidden.v1.rabl +0 -2
  81. data/db/migrate/20131017162334_add_index_to_user_spree_api_key.rb +0 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 11ec9a4be38940cdcb37e0da4e53310737055e65
4
- data.tar.gz: fc44b0f7133cae83461d2592675ff23ce342a8e2
3
+ metadata.gz: dfb4c3dcac67a8017157cb9f0bab935ffd2ed231
4
+ data.tar.gz: 5ea1ffe4ce5e5e26634854678c681e3393fb6452
5
5
  SHA512:
6
- metadata.gz: bdd6f52a13b1e509580a31f4b2fbc19516b444663f14ea7f3de3928982fe43f72469d4ed439aa05c6ebb09867f881cf684b543085fa26f0917d6d4f6d609028c
7
- data.tar.gz: c573fc40381016d1e8c35a5903fafd1655d0c7b7f1162c2e1e17e16c8a1ebf957b93b4f7f043aebf3844a53a2aacbd7f21d73935c2cca715f1733d1a54081098
6
+ metadata.gz: 9fdf42407d740136db1e10849a1ce905875610b11edfc1d09b87b485512ce8a45614f6cf9d56a2d92ba3683ca89b825532143f1d63b78930a60b43f20d932939
7
+ data.tar.gz: c3c79a95eb9d04abe381054af8b9d415ee3956ede11355b972cf0d1cfccfd1976be11da23a7dae687f71102f19efe8c087fe7c58f354d56e5ab93a97dc6863ab
data/CHANGELOG.md CHANGED
@@ -1 +1,99 @@
1
- ## Spree 2.0.10 (unreleased) ##
1
+ ## Spree 2.1.0 ##
2
+
3
+ * The Products API endpoint now returns an additional key called `shipping_category_id`, and also requires `shipping_category_id` on create.
4
+
5
+ *Jeff Dutil*
6
+
7
+ * The Products API endpoint now returns an additional key called `display_price`, which is the proper rendering of the price of a product.
8
+
9
+ *Ryan Bigg*
10
+
11
+ * The Images API's `attachment_url` key has been removed in favour of keys that reflect the current image styles available in the application, such as `mini_url` and `product_url`. Use these now to references images.
12
+
13
+ *Ryan Bigg*
14
+
15
+ * Fix issue where calling OrdersController#update with line item parameters would *always* create new line items, rather than updating existing ones.
16
+
17
+ *Ryan Bigg*
18
+
19
+ * The Orders API endpoint now returns an additional key called `display_item_total`, which is the proper rendering of the total line item price of an order.
20
+
21
+ *Ryan Bigg*
22
+
23
+ * Include a `per_page` key in Products API end response so that libraries like jQuery.simplePagination can use this to display a pagination element on the page.
24
+
25
+ *Ryan Bigg*
26
+
27
+ * Line item responses now contain `single_display_amount` and `display_amount` for "pretty" versions of the single and total amount for a line item, as well as a `total` node which is an "ugly" version of the total amount of a line item.
28
+
29
+ *Ryan Bigg*
30
+
31
+ * /api/orders endpoints now accept a `?order_token` parameter which should be the order's token. This can be used to authorize actions on an order without having to pass in an API key.
32
+
33
+ *Ryan Bigg*
34
+
35
+ * Requests to POST /api/line_items will now update existing line items. For example if you have a line item with a variant ID=2 and quantity=10 and you attempt to create a new line item for the same variant with a quantity of 5, the existing line item's quantity will be updated to 15. Previously, a new line item would erroneously be created.
36
+
37
+ *Ryan Bigg*
38
+
39
+ * /api/countries now will a 304 response if no country has been changed since the last request.
40
+
41
+ *Ryan Bigg*
42
+
43
+ * The Shipments API no longer returns inventory units. Instead, it will return manifest objects. This is necessary due to the split shipments changes brought in by Spree 2.
44
+
45
+ *Ryan Bigg*
46
+
47
+ * Checkouts API's update action will now correctly process line item attributes (either `line_items` or `line_item_attributes`)
48
+
49
+ *Ryan Bigg*
50
+
51
+ * The structure of shipments data in the API has changed. Shipments can now have many shipping methods, shipping rates (which in turn have many zones and shipping categories), as well as a new key called "manifest" which returns the list of items contained within just this shipment for the order.
52
+
53
+ *Ryan Bigg*
54
+
55
+ * Address responses now contain a `full_name` attribute.
56
+
57
+ *Ryan Bigg*
58
+
59
+ * Shipments responses now contain a `selected_shipping_rate` key, so that you don't have to sort through the list of `shipping_rates` to get the selected one.
60
+
61
+ *Ryan Bigg*
62
+
63
+ * Checkouts API now correctly processes incoming payment data during the payment step.
64
+
65
+ *Ryan Bigg*
66
+
67
+ * Fix issue where `set_current_order` before filter would be called when CheckoutsController actions were run, causing the order object to be deleted. #3306
68
+
69
+ *Ryan Bigg*
70
+
71
+ * An order can no longer transition past the "cart" state without first having a line item. #3312
72
+
73
+ *Ryan Bigg*
74
+
75
+ * Attributes other than "quantity" and "variant_id" will be added to a line item when creating along with an order. #3404
76
+
77
+ *Alex Marles & Ryan Bigg*
78
+
79
+ * Requests to POST /api/line_items will now update existing line items. For example if you have a line item with a variant ID=2 and quantity=10 and you attempt to create a new line item for the same variant with a quantity of 5, the existing line item's quantity will be updated to 15. Previously, a new line item would erroneously be created.
80
+
81
+ * Ryan Bigg
82
+
83
+ * Checkouts API's update action will now correctly process line item attributes (either `line_items` or `line_item_attributes`)
84
+
85
+ * Ryan Bigg
86
+
87
+ * Taxon attributes from `/api/taxons` are now returned within `taxons` subkey. Before:
88
+
89
+ ```json
90
+ [{ name: 'Ruby' ... }]
91
+ ```
92
+
93
+ Now:
94
+
95
+ ```json
96
+ { taxons: [{ name: 'Ruby' }]}
97
+ ```
98
+
99
+ * Ryan Bigg
@@ -13,7 +13,7 @@ module Spree
13
13
  authorize! :update, @order, params[:order_token]
14
14
  find_address
15
15
 
16
- if @address.update_attributes(params[:address])
16
+ if @address.update_attributes(address_params)
17
17
  respond_with(@address, :default_template => :show)
18
18
  else
19
19
  invalid_resource!(@address)
@@ -21,9 +21,12 @@ module Spree
21
21
  end
22
22
 
23
23
  private
24
+ def address_params
25
+ params.require(:address).permit(permitted_address_attributes)
26
+ end
24
27
 
25
28
  def find_order
26
- @order = Spree::Order.find_by_number!(params[:order_id])
29
+ @order = Spree::Order.find_by!(number: params[:order_id])
27
30
  end
28
31
 
29
32
  def find_address
@@ -3,11 +3,12 @@ require_dependency 'spree/api/controller_setup'
3
3
  module Spree
4
4
  module Api
5
5
  class BaseController < ActionController::Metal
6
+ include ActionController::StrongParameters
6
7
  include Spree::Api::ControllerSetup
7
8
  include Spree::Core::ControllerHelpers::SSL
9
+ include Spree::Core::ControllerHelpers::StrongParameters
8
10
  include ::ActionController::Head
9
- include ::ActionController::Redirecting
10
- include Spree::Core::Engine.routes.url_helpers
11
+ include ::ActionController::ConditionalGet
11
12
 
12
13
  self.responder = Spree::Api::Responders::AppResponder
13
14
 
@@ -17,7 +18,6 @@ module Spree
17
18
 
18
19
  before_filter :set_content_type
19
20
  before_filter :check_for_user_or_api_key, :if => :requires_authentication?
20
- before_filter :authorize_for_order, :if => Proc.new { order_token.present? }
21
21
  before_filter :authenticate_user
22
22
  after_filter :set_jsonp_format
23
23
 
@@ -31,7 +31,7 @@ module Spree
31
31
 
32
32
  def set_jsonp_format
33
33
  if params[:callback] && request.get?
34
- self.response_body = "#{params[:callback]}(#{response.body})"
34
+ self.response_body = "#{params[:callback]}(#{self.response_body})"
35
35
  headers["Content-Type"] = 'application/javascript'
36
36
  end
37
37
  end
@@ -61,14 +61,14 @@ module Spree
61
61
  # User is already authenticated with Spree, make request this way instead.
62
62
  return true if @current_api_user = try_spree_current_user || !Spree::Api::Config[:requires_authentication]
63
63
 
64
- if api_key.blank? && order_token.blank?
64
+ if api_key.blank?
65
65
  render "spree/api/errors/must_specify_api_key", :status => 401 and return
66
66
  end
67
67
  end
68
68
 
69
69
  def authenticate_user
70
70
  unless @current_api_user
71
- if order_token.blank? && (requires_authentication? || api_key.present?)
71
+ if requires_authentication? || api_key.present?
72
72
  unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
73
73
  render "spree/api/errors/invalid_api_key", :status => 401 and return
74
74
  end
@@ -84,6 +84,9 @@ module Spree
84
84
  end
85
85
 
86
86
  def error_during_processing(exception)
87
+ Rails.logger.error exception.message
88
+ Rails.logger.error exception.backtrace.join("\n")
89
+
87
90
  render :text => { :exception => exception.message }.to_json,
88
91
  :status => 422 and return
89
92
  end
@@ -106,14 +109,10 @@ module Spree
106
109
  end
107
110
 
108
111
  def api_key
109
- request.headers["X-Spree-Token"] || params[:token]
112
+ request.headers.env["X-Spree-Token"] || params[:token]
110
113
  end
111
114
  helper_method :api_key
112
115
 
113
- def order_token
114
- request.headers["X-Spree-Order-Token"] || params[:order_token]
115
- end
116
-
117
116
  def find_product(id)
118
117
  begin
119
118
  product_scope.find_by_permalink!(id.to_s)
@@ -124,23 +123,17 @@ module Spree
124
123
 
125
124
  def product_scope
126
125
  if current_api_user.has_spree_role?("admin")
127
- scope = Product
128
- if params[:show_deleted]
129
- scope = scope.with_deleted
126
+ scope = Product.with_deleted.accessible_by(current_ability, :read)
127
+ unless params[:show_deleted]
128
+ scope = scope.not_deleted
130
129
  end
131
130
  else
132
- scope = Product.active
131
+ scope = Product.accessible_by(current_ability, :read).active
133
132
  end
134
133
 
135
134
  scope.includes(:master)
136
135
  end
137
136
 
138
- def authorize_for_order
139
- @order = Spree::Order.find_by_number(params[:order_id] || params[:id])
140
- unless @order.token == order_token
141
- unauthorized
142
- end
143
- end
144
137
  end
145
138
  end
146
139
  end
@@ -1,6 +1,7 @@
1
1
  module Spree
2
2
  module Api
3
3
  class CheckoutsController < Spree::Api::BaseController
4
+ before_filter :load_order, only: [:show, :update, :next, :advance]
4
5
  before_filter :associate_user, only: :update
5
6
 
6
7
  include Spree::Core::ControllerHelpers::Auth
@@ -8,15 +9,13 @@ module Spree
8
9
  # This before_filter comes from Spree::Core::ControllerHelpers::Order
9
10
  skip_before_filter :set_current_order
10
11
 
11
- respond_to :json
12
-
13
12
  def create
13
+ authorize! :create, Order
14
14
  @order = Order.build_from_api(current_api_user, nested_params)
15
15
  respond_with(@order, default_template: 'spree/api/orders/show', status: 201)
16
16
  end
17
17
 
18
18
  def next
19
- load_order(true)
20
19
  authorize! :update, @order, params[:order_token]
21
20
  @order.next!
22
21
  respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
@@ -25,30 +24,27 @@ module Spree
25
24
  end
26
25
 
27
26
  def advance
28
- load_order(true)
29
27
  authorize! :update, @order, params[:order_token]
30
28
  while @order.next; end
31
29
  respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
32
30
  end
33
31
 
34
32
  def show
35
- redirect_to(api_order_path(params[:id]), status: 301)
33
+ respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
36
34
  end
37
35
 
38
36
  def update
39
- load_order(true)
40
37
  authorize! :update, @order, params[:order_token]
41
38
  order_params = object_params
42
- user_id = order_params.delete(:user_id)
43
- line_items = order_params.delete("line_items_attributes")
44
- if @order.update_attributes(order_params)
39
+ line_items = order_params.delete('line_items_attributes')
40
+ if @order.update_attributes(object_params)
45
41
  @order.update_line_items(line_items)
46
- if current_api_user.has_spree_role?("admin") && user_id.present?
42
+ if current_api_user.has_spree_role?('admin') && user_id.present?
47
43
  @order.associate_user!(Spree.user_class.find(user_id))
48
44
  end
49
45
  return if after_update_attributes
50
46
  state_callback(:after) if @order.next
51
- respond_with(@order, :default_template => 'spree/api/orders/show')
47
+ respond_with(@order, default_template: 'spree/api/orders/show')
52
48
  else
53
49
  invalid_resource!(@order)
54
50
  end
@@ -60,15 +56,27 @@ module Spree
60
56
  # For payment step, filter order parameters to produce the expected nested attributes for a single payment and its source, discarding attributes for payment methods other than the one selected
61
57
  # respond_to check is necessary due to issue described in #2910
62
58
  object_params = nested_params
63
- if @order.has_checkout_step?("payment") && @order.payment?
64
- if object_params[:payment_source].present? && source_params = object_params.delete(:payment_source)[object_params[:payments_attributes].first[:payment_method_id].underscore]
59
+ if @order.has_checkout_step?('payment') && @order.payment?
60
+ if object_params[:payments_attributes].is_a?(Hash)
61
+ object_params[:payments_attributes] = [object_params[:payments_attributes]]
62
+ end
63
+ if object_params[:payment_source].present? && source_params = object_params.delete(:payment_source)[object_params[:payments_attributes].first[:payment_method_id]]
65
64
  object_params[:payments_attributes].first[:source_attributes] = source_params
66
65
  end
67
- if object_params.present? && object_params[:payments_attributes]
68
- object_params[:payments_attributes].first[:amount] = @order.total
66
+ if object_params[:payments_attributes]
67
+ object_params[:payments_attributes].first[:amount] = @order.total.to_s
69
68
  end
70
69
  end
71
- object_params
70
+
71
+ if params[:order]
72
+ params.require(:order).permit(permitted_checkout_attributes)
73
+ else
74
+ {}
75
+ end
76
+ end
77
+
78
+ def user_id
79
+ params[:order][:user_id] if params[:order]
72
80
  end
73
81
 
74
82
  def nested_params
@@ -81,8 +89,8 @@ module Spree
81
89
  false
82
90
  end
83
91
 
84
- def load_order(lock = false)
85
- @order = Spree::Order.lock(lock).find_by_number!(params[:id])
92
+ def load_order
93
+ @order = Spree::Order.find_by!(number: params[:id])
86
94
  raise_insufficient_quantity and return if @order.insufficient_stock_lines.present?
87
95
  @order.state = params[:state] if params[:state]
88
96
  state_callback(:before)
@@ -97,7 +105,7 @@ module Spree
97
105
  end
98
106
 
99
107
  def raise_insufficient_quantity
100
- respond_with(@order, :default_template => 'spree/api/orders/insufficient_quantity')
108
+ respond_with(@order, default_template: 'spree/api/orders/insufficient_quantity')
101
109
  end
102
110
 
103
111
  def state_callback(before_or_after = :before)
@@ -105,20 +113,15 @@ module Spree
105
113
  send(method_name) if respond_to?(method_name, true)
106
114
  end
107
115
 
108
- def before_address
109
- @order.bill_address ||= Address.default
110
- @order.ship_address ||= Address.default
111
- end
112
-
113
116
  def before_payment
114
117
  @order.payments.destroy_all if request.put?
115
118
  end
116
119
 
117
120
  def next!(options={})
118
121
  if @order.valid? && @order.next
119
- render 'spree/api/orders/show', :status => options[:status] || 200
122
+ render 'spree/api/orders/show', status: options[:status] || 200
120
123
  else
121
- render 'spree/api/orders/could_not_transition', :status => 422
124
+ render 'spree/api/orders/could_not_transition', status: 422
122
125
  end
123
126
  end
124
127
 
@@ -127,7 +130,7 @@ module Spree
127
130
  coupon_result = Spree::Promo::CouponApplicator.new(@order).apply
128
131
  if !coupon_result[:coupon_applied?]
129
132
  @coupon_message = coupon_result[:error]
130
- respond_with(@order, :default_template => 'spree/api/orders/could_not_apply_coupon')
133
+ respond_with(@order, default_template: 'spree/api/orders/could_not_apply_coupon')
131
134
  return true
132
135
  end
133
136
  end
@@ -0,0 +1,6 @@
1
+ module Spree
2
+ module Api
3
+ class ConfigController < Spree::Api::BaseController
4
+ end
5
+ end
6
+ end
@@ -1,19 +1,19 @@
1
1
  module Spree
2
2
  module Api
3
3
  class CountriesController < Spree::Api::BaseController
4
- skip_before_filter :check_for_user_or_api_key
5
- skip_before_filter :authenticate_user
6
4
 
7
5
  def index
8
- @countries = Country.ransack(params[:q]).result.
9
- includes(:states).order("#{Spree::Country.quoted_table_name}.name ASC").
6
+ @countries = Country.accessible_by(current_ability, :read).ransack(params[:q]).result.
7
+ includes(:states).order('name ASC').
10
8
  page(params[:page]).per(params[:per_page])
11
-
12
- respond_with(@countries)
9
+ country = Country.order("updated_at ASC").last
10
+ if stale?(country)
11
+ respond_with(@countries)
12
+ end
13
13
  end
14
14
 
15
15
  def show
16
- @country = Country.find(params[:id])
16
+ @country = Country.accessible_by(current_ability, :read).find(params[:id])
17
17
  respond_with(@country)
18
18
  end
19
19
  end
@@ -1,32 +1,34 @@
1
1
  module Spree
2
2
  module Api
3
3
  class ImagesController < Spree::Api::BaseController
4
- respond_to :json
5
4
 
6
5
  def show
7
- @image = Image.find(params[:id])
6
+ @image = Image.accessible_by(current_ability, :read).find(params[:id])
8
7
  respond_with(@image)
9
8
  end
10
9
 
11
10
  def create
12
11
  authorize! :create, Image
13
- @image = Image.create(params[:image])
12
+ @image = Image.create(image_params)
14
13
  respond_with(@image, :status => 201, :default_template => :show)
15
14
  end
16
15
 
17
16
  def update
18
- authorize! :update, Image
19
- @image = Image.find(params[:id])
20
- @image.update_attributes(params[:image])
17
+ @image = Image.accessible_by(current_ability, :update).find(params[:id])
18
+ @image.update_attributes(image_params)
21
19
  respond_with(@image, :default_template => :show)
22
20
  end
23
21
 
24
22
  def destroy
25
- authorize! :delete, Image
26
- @image = Image.find(params[:id])
23
+ @image = Image.accessible_by(current_ability, :destroy).find(params[:id])
27
24
  @image.destroy
28
25
  respond_with(@image, :status => 204)
29
26
  end
27
+
28
+ private
29
+ def image_params
30
+ params.require(:image).permit(permitted_image_attributes)
31
+ end
30
32
  end
31
33
  end
32
34
  end
@@ -8,10 +8,10 @@ module Spree
8
8
  end
9
9
 
10
10
  def update
11
- authorize! :update, Order
11
+ authorize! :update, inventory_unit.order
12
12
 
13
13
  inventory_unit.transaction do
14
- if inventory_unit.update_attributes(params[:inventory_unit])
14
+ if inventory_unit.update_attributes(inventory_unit_params)
15
15
  fire
16
16
  render :show, :status => 200
17
17
  else
@@ -23,7 +23,7 @@ module Spree
23
23
  private
24
24
 
25
25
  def inventory_unit
26
- @inventory_unit ||= InventoryUnit.find(params[:id])
26
+ @inventory_unit ||= InventoryUnit.accessible_by(current_ability, :read).find(params[:id])
27
27
  end
28
28
 
29
29
  def prepare_event
@@ -42,7 +42,10 @@ module Spree
42
42
  def fire
43
43
  inventory_unit.send("#{@event}!") if @event
44
44
  end
45
-
45
+
46
+ def inventory_unit_params
47
+ params.require(:inventory_unit).permit(permitted_inventory_unit_attributes)
48
+ end
46
49
  end
47
50
  end
48
51
  end
@@ -1,42 +1,42 @@
1
1
  module Spree
2
2
  module Api
3
3
  class LineItemsController < Spree::Api::BaseController
4
- respond_to :json
5
4
 
6
5
  def create
7
- authorize! :update, order, order_token
8
- @line_item = order.line_items.build(params[:line_item], :as => :api)
6
+ variant = Spree::Variant.find(params[:line_item][:variant_id])
7
+ @line_item = order.contents.add(variant, params[:line_item][:quantity])
9
8
  if @line_item.save
10
- @order.ensure_updated_shipments
11
- respond_with(@line_item, :status => 201, :default_template => :show)
9
+ respond_with(@line_item, status: 201, default_template: :show)
12
10
  else
13
11
  invalid_resource!(@line_item)
14
12
  end
15
13
  end
16
14
 
17
15
  def update
18
- authorize! :update, order, order_token
19
16
  @line_item = order.line_items.find(params[:id])
20
- if @line_item.update_attributes(params[:line_item], :as => :api)
21
- @order.ensure_updated_shipments
22
- respond_with(@line_item, :default_template => :show)
17
+ if @line_item.update_attributes(line_item_params)
18
+ respond_with(@line_item, default_template: :show)
23
19
  else
24
20
  invalid_resource!(@line_item)
25
21
  end
26
22
  end
27
23
 
28
24
  def destroy
29
- authorize! :update, order, order_token
30
25
  @line_item = order.line_items.find(params[:id])
31
26
  @line_item.destroy
32
- respond_with(@line_item, :status => 204)
27
+ respond_with(@line_item, status: 204)
33
28
  end
34
29
 
35
30
  private
36
31
 
37
- def order
38
- @order ||= Order.find_by_number!(params[:order_id])
39
- end
32
+ def order
33
+ @order ||= Spree::Order.find_by!(number: params[:order_id])
34
+ authorize! :update, @order, params[:order_token]
35
+ end
36
+
37
+ def line_item_params
38
+ params.require(:line_item).permit(:quantity, :variant_id)
39
+ end
40
40
  end
41
41
  end
42
42
  end
@@ -3,21 +3,21 @@ module Spree
3
3
  class OptionTypesController < Spree::Api::BaseController
4
4
  def index
5
5
  if params[:ids]
6
- @option_types = Spree::OptionType.where(:id => params[:ids].split(','))
6
+ @option_types = Spree::OptionType.accessible_by(current_ability, :read).where(:id => params[:ids].split(','))
7
7
  else
8
- @option_types = Spree::OptionType.scoped.ransack(params[:q]).result
8
+ @option_types = Spree::OptionType.accessible_by(current_ability, :read).load.ransack(params[:q]).result
9
9
  end
10
10
  respond_with(@option_types)
11
11
  end
12
12
 
13
13
  def show
14
- @option_type = Spree::OptionType.find(params[:id])
15
- respond_with(@option_type)
14
+ @option_type = Spree::OptionType.accessible_by(current_ability, :read).find(params[:id])
15
+ respond_with(@option_type)
16
16
  end
17
17
 
18
18
  def create
19
- authorize! :create, Spree::OptionType
20
- @option_type = Spree::OptionType.new(params[:option_type])
19
+ authorize! :create, Spree::OptionType
20
+ @option_type = Spree::OptionType.new(option_type_params)
21
21
  if @option_type.save
22
22
  render :show, :status => 201
23
23
  else
@@ -26,9 +26,8 @@ module Spree
26
26
  end
27
27
 
28
28
  def update
29
- authorize! :update, Spree::OptionType
30
- @option_type = Spree::OptionType.find(params[:id])
31
- if @option_type.update_attributes(params[:option_type])
29
+ @option_type = Spree::OptionType.accessible_by(current_ability, :update).find(params[:id])
30
+ if @option_type.update_attributes(option_type_params)
32
31
  render :show
33
32
  else
34
33
  invalid_resource!(@option_type)
@@ -36,11 +35,15 @@ module Spree
36
35
  end
37
36
 
38
37
  def destroy
39
- authorize! :destroy, Spree::OptionType
40
- @option_type = Spree::OptionType.find(params[:id])
38
+ @option_type = Spree::OptionType.accessible_by(current_ability, :destroy).find(params[:id])
41
39
  @option_type.destroy
42
40
  render :text => nil, :status => 204
43
41
  end
42
+
43
+ private
44
+ def option_type_params
45
+ params.require(:option_type).permit(permitted_option_type_attributes)
46
+ end
44
47
  end
45
48
  end
46
49
  end
@@ -11,13 +11,13 @@ module Spree
11
11
  end
12
12
 
13
13
  def show
14
- @option_value = scope.find(params[:id])
15
- respond_with(@option_value)
14
+ @option_value = scope.find(params[:id])
15
+ respond_with(@option_value)
16
16
  end
17
17
 
18
18
  def create
19
- authorize! :create, Spree::OptionValue
20
- @option_value = scope.new(params[:option_value])
19
+ authorize! :create, Spree::OptionValue
20
+ @option_value = scope.new(option_value_params)
21
21
  if @option_value.save
22
22
  render :show, :status => 201
23
23
  else
@@ -26,9 +26,8 @@ module Spree
26
26
  end
27
27
 
28
28
  def update
29
- authorize! :update, Spree::OptionValue
30
- @option_value = scope.find(params[:id])
31
- if @option_value.update_attributes(params[:option_value])
29
+ @option_value = scope.accessible_by(current_ability, :update).find(params[:id])
30
+ if @option_value.update_attributes(option_value_params)
32
31
  render :show
33
32
  else
34
33
  invalid_resource!(@option_value)
@@ -36,8 +35,7 @@ module Spree
36
35
  end
37
36
 
38
37
  def destroy
39
- authorize! :destroy, Spree::OptionValue
40
- @option_value = scope.find(params[:id])
38
+ @option_value = scope.accessible_by(current_ability, :destroy).find(params[:id])
41
39
  @option_value.destroy
42
40
  render :text => nil, :status => 204
43
41
  end
@@ -46,11 +44,15 @@ module Spree
46
44
 
47
45
  def scope
48
46
  if params[:option_type_id]
49
- @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values
47
+ @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability, :read)
50
48
  else
51
- @scope ||= Spree::OptionValue.scoped
49
+ @scope ||= Spree::OptionValue.accessible_by(current_ability, :read).load
52
50
  end
53
51
  end
52
+
53
+ def option_value_params
54
+ params.require(:option_value).permit(permitted_option_type_attributes)
55
+ end
54
56
  end
55
57
  end
56
58
  end