RubyGems - spree_api - Versions diffs - 2.0.13 → 2.1.0 - Mend

spree_api 2.0.13 → 2.1.0

Files changed (81) hide show

data/app/controllers/spree/api/orders_controller.rb CHANGED Viewed

@@ -1,91 +1,94 @@
 module Spree
   module Api
     class OrdersController < Spree::Api::BaseController
-      respond_to :json
-      before_filter :find_and_authorize!, :except => [:index, :search, :create]
+      # Dynamically defines our stores checkout steps to ensure we check authorization on each step.
+      Order.checkout_steps.keys.each do |step|
+        define_method step do
+          find_order
+          authorize! :update, @order, params[:token]
+        end
+      end
+      def cancel
+        find_order
+        authorize! :update, @order, params[:token]
+        @order.cancel!
+        render :show
+      end
+      def create
+        authorize! :create, Order
+        @order = Order.build_from_api(current_api_user, order_params)
+        respond_with(@order, default_template: :show, status: 201)
+      end
+      def empty
+        find_order
+        @order.empty!
+        @order.update!
+        render text: nil, status: 200
+      end
       def index
-        # should probably look at turning this into a CanCan step
-        raise CanCan::AccessDenied unless current_api_user.has_spree_role?("admin")
+        authorize! :index, Order
         @orders = Order.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@orders)
       end
       def show
+        find_order
+        method = "before_#{@order.state}"
+        send(method) if respond_to?(method, true)
         respond_with(@order)
       end
-      def create
-        nested_params[:line_items_attributes] = sanitize_line_items(nested_params[:line_items_attributes])
-        @order = Order.build_from_api(current_api_user, nested_params)
-        respond_with(@order, :default_template => :show, :status => 201)
-      end
       def update
+        find_order
         # Parsing line items through as an update_attributes call in the API will result in
         # many line items for the same variant_id being created. We must be smarter about this,
         # hence the use of the update_line_items method, defined within order_decorator.rb.
-        line_items_params = sanitize_line_items(nested_params.delete("line_items_attributes"))
-        if @order.update_attributes(nested_params)
-          @order.update_line_items(line_items_params)
+        order_params.delete("line_items_attributes")
+        if @order.update_attributes(order_params)
+          @order.update_line_items(params[:order][:line_items])
           @order.line_items.reload
           @order.update!
-          respond_with(@order, :default_template => :show)
+          respond_with(@order, default_template: :show)
         else
           invalid_resource!(@order)
         end
       end
-      def cancel
-        @order.cancel!
-        render :show
-      end
-      def empty
-        @order.empty!
-        @order.update!
-        render :text => nil, :status => 200
-      end
       private
-      def nested_params
-        @nested_params ||= map_nested_attributes_keys(Order, params[:order] || {})
-      end
-      def sanitize_line_items(line_item_attributes)
-        return {} if line_item_attributes.blank?
-        line_item_attributes = line_item_attributes.map do |id, attributes|
-          attributes ||= id
+        def order_params
+          if params[:order]
+            params[:order][:line_items_attributes] = params[:order][:line_items]
+            params[:order][:ship_address_attributes] = params[:order][:ship_address] if params[:order][:ship_address]
+            params[:order][:bill_address_attributes] = params[:order][:bill_address] if params[:order][:bill_address]
+            params.require(:order).permit(permitted_order_attributes)
+          else
+            {}
+          end
+        end
-          # Faux Strong-Parameters code to strip price if user isn't an admin
-          if current_api_user.has_spree_role?("admin")
-            [id, attributes.slice(*Spree::LineItem.attr_accessible[:api])]
+        def next!(options={})
+          if @order.valid? && @order.next
+            render :show, status: options[:status] || 200
           else
-            [id, attributes.slice(*Spree::LineItem.attr_accessible[:default])]
+            render :could_not_transition, status: 422
           end
         end
-        line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
-      end
-      def find_order(lock = false)
-        @order = Spree::Order.lock(lock).find_by_number!(params[:id])
-        authorize! :update, @order, params[:order_token]
-      end
+        def find_order
+          @order = Spree::Order.find_by!(number: params[:id])
+          authorize! :update, @order, params[:order_token]
+        end
-      def next!(options={})
-        if @order.valid? && @order.next
-          render :show, :status => options[:status] || 200
-        else
-          render :could_not_transition, :status => 422
+        def before_delivery
+          @order.create_proposed_shipments
         end
-      end
-      def find_and_authorize!
-        find_order(true)
-        authorize! :read, @order
-      end
     end
   end
 end

data/app/controllers/spree/api/payments_controller.rb CHANGED Viewed

@@ -1,10 +1,9 @@
 module Spree
   module Api
     class PaymentsController < Spree::Api::BaseController
-      respond_to :json
       before_filter :find_order
-      before_filter :find_payment, only: [:update, :show, :authorize, :purchase, :capture, :void, :credit]
+      before_filter :find_payment, only: [:show, :authorize, :purchase, :capture, :void, :credit]
       def index
         @payments = @order.payments.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -12,25 +11,14 @@ module Spree
       end
       def new
-        @payment_methods = Spree::PaymentMethod.where(:environment => Rails.env)
+        @payment_methods = Spree::PaymentMethod.where(environment: Rails.env)
         respond_with(@payment_method)
       end
       def create
-        @payment = @order.payments.build(params[:payment])
+        @payment = @order.payments.build(payment_params)
         if @payment.save
-          respond_with(@payment, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@payment)
-        end
-      end
-      def update
-        authorize! params[:action], @payment
-        if !@payment.pending?
-          render 'update_forbidden', status: 403
-        elsif @payment.update_attributes(params[:payment])
-          respond_with(@payment, default_template: :show)
+          respond_with(@payment, status: 201, default_template: :show)
         else
           invalid_resource!(@payment)
         end
@@ -58,7 +46,7 @@ module Spree
       def credit
         if params[:amount].to_f > @payment.credit_allowed
-          render 'credit_over_limit', status: 422
+          render 'spree/api/payments/credit_over_limit', status: 422
         else
           perform_payment_action(:credit, params[:amount])
         end
@@ -66,26 +54,30 @@ module Spree
       private
-      def find_order
-        @order = Order.find_by_number(params[:order_id])
-        authorize! :read, @order
-      end
+        def find_order
+          @order = Spree::Order.find_by(number: params[:order_id])
+          authorize! :read, @order
+        end
-      def find_payment
-        @payment = @order.payments.find(params[:id])
-      end
+        def find_payment
+          @payment = @order.payments.find(params[:id])
+        end
-      def perform_payment_action(action, *args)
-        authorize! action, Payment
+        def perform_payment_action(action, *args)
+          authorize! action, Payment
-        begin
-          @payment.send("#{action}!", *args)
-          respond_with(@payment, :default_template => :show)
-        rescue Spree::Core::GatewayError => e
-          @error = e.message
-          render "spree/api/errors/gateway_error", :status => 422
+          begin
+            @payment.send("#{action}!", *args)
+            respond_with(@payment, :default_template => :show)
+          rescue Spree::Core::GatewayError => e
+            @error = e.message
+            render 'spree/api/errors/gateway_error', status: 422
+          end
+        end
+        def payment_params
+          params.require(:payment).permit(permitted_payment_attributes)
         end
-      end
     end
   end
 end

data/app/controllers/spree/api/product_properties_controller.rb CHANGED Viewed

@@ -1,13 +1,12 @@
 module Spree
   module Api
     class ProductPropertiesController < Spree::Api::BaseController
-      respond_to :json
       before_filter :find_product
-      before_filter :product_property, :only => [:show, :update, :destroy]
+      before_filter :product_property, only: [:show, :update, :destroy]
       def index
-        @product_properties = @product.product_properties.
+        @product_properties = @product.product_properties.accessible_by(current_ability, :read).
                               ransack(params[:q]).result.
                               page(params[:page]).per(params[:per_page])
         respond_with(@product_properties)
@@ -22,44 +21,52 @@ module Spree
       def create
         authorize! :create, ProductProperty
-        @product_property = @product.product_properties.new(params[:product_property])
+        @product_property = @product.product_properties.new(product_property_params)
         if @product_property.save
-          respond_with(@product_property, :status => 201, :default_template => :show)
+          respond_with(@product_property, status: 201, default_template: :show)
         else
           invalid_resource!(@product_property)
         end
       end
       def update
-        authorize! :update, ProductProperty
-        if @product_property  && @product_property.update_attributes(params[:product_property])
-          respond_with(@product_property, :status => 200, :default_template => :show)
+        if @product_property
+          authorize! :update, @product_property
+          @product_property.update_attributes(product_property_params)
+          respond_with(@product_property, status: 200, default_template: :show)
         else
           invalid_resource!(@product_property)
         end
       end
       def destroy
-        authorize! :delete, ProductProperty
-        if(@product_property)
+        if @product_property
+          authorize! :destroy, @product_property
           @product_property.destroy
-          respond_with(@product_property, :status => 204)
+          respond_with(@product_property, status: 204)
         else
           invalid_resource!(@product_property)
         end
       end
       private
         def find_product
           @product = super(params[:product_id])
+          authorize! :read, @product
         end
         def product_property
           if @product
-            @product_property ||= @product.product_properties.find_by_id(params[:id])
-            @product_property ||= @product.product_properties.joins(:property).where('spree_properties.name' => params[:id]).readonly(false).first
+            @product_property ||= @product.product_properties.find_by(id: params[:id])
+            @product_property ||= @product.product_properties.includes(:property).where(spree_properties: { name: params[:id] }).first
+            authorize! :read, @product_property
           end
         end
+        def product_property_params
+          params.require(:product_property).permit(permitted_product_properties_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/products_controller.rb CHANGED Viewed

@@ -1,22 +1,20 @@
 module Spree
   module Api
     class ProductsController < Spree::Api::BaseController
-      respond_to :json
       def index
         if params[:ids]
-          @products = product_scope.where(:id => params[:ids].split(","))
+          @products = product_scope.where(:id => params[:ids])
         else
           @products = product_scope.ransack(params[:q]).result
         end
         @products = @products.page(params[:page]).per(params[:per_page])
-        respond_with(@products)
       end
       def show
         @product = find_product(params[:id])
+        expires_in 3.minutes
         respond_with(@product)
       end
@@ -26,28 +24,9 @@ module Spree
       def create
         authorize! :create, Product
         params[:product][:available_on] ||= Time.now
-        variants_attributes = params[:product].delete(:variants_attributes) || []
-        option_type_attributes = params[:product].delete(:option_types) || []
-        set_up_shipping_category
-        @product = Product.new(params[:product])
         begin
+          @product = Product.new(product_params)
           if @product.save
-            variants_attributes.each do |variant_attribute|
-              variant = @product.variants.new
-              variant.update_attributes(variant_attribute)
-            end
-            option_type_attributes.each do |name|
-              option_type = OptionType.where(name: name).first_or_initialize do |option_type|
-                option_type.presentation = name
-                option_type.save!
-              end
-              @product.option_types << option_type unless @product.option_types.include?(option_type)
-            end
             respond_with(@product, :status => 201, :default_template => :show)
           else
             invalid_resource!(@product)
@@ -56,36 +35,12 @@ module Spree
           @product.permalink = nil
           retry
         end
-      end
+      end
       def update
-        authorize! :update, Product
-        variants_attributes = params[:product].delete(:variants_attributes) || []
-        option_type_attributes = params[:product].delete(:option_types) || []
-        set_up_shipping_category
         @product = find_product(params[:id])
-        if @product.update_attributes(params[:product])
-          variants_attributes.each do |variant_attribute|
-            # update the variant if the id is present in the payload
-            if variant_attribute['id'].present?
-              @product.variants.find(variant_attribute['id'].to_i).update_attributes(variant_attribute)
-            else
-              variant = @product.variants.new
-              variant.update_attributes(variant_attribute)
-            end
-          end
-          option_type_attributes.each do |name|
-            option_type = OptionType.where(name: name).first_or_initialize do |option_type|
-              option_type.presentation = name
-              option_type.save!
-            end
-            @product.option_types << option_type unless @product.option_types.include?(option_type)
-          end
+        authorize! :update, @product
+        if @product.update_attributes(product_params)
           respond_with(@product, :status => 200, :default_template => :show)
         else
           invalid_resource!(@product)
@@ -93,18 +48,16 @@ module Spree
       end
       def destroy
-        authorize! :delete, Product
         @product = find_product(params[:id])
-        @product.destroy
+        authorize! :destroy, @product
+        @product.update_attribute(:deleted_at, Time.now)
+        @product.variants_including_master.update_all(:deleted_at => Time.now)
         respond_with(@product, :status => 204)
       end
       private
-        def set_up_shipping_category
-          if shipping_category = params[:product].delete(:shipping_category)
-            id = ShippingCategory.find_or_create_by_name(shipping_category).id
-            params[:product][:shipping_category_id] = id
-          end
+        def product_params
+          params.require(:product).permit(permitted_product_attributes)
         end
     end
   end

data/app/controllers/spree/api/properties_controller.rb CHANGED Viewed

@@ -1,12 +1,11 @@
 module Spree
   module Api
     class PropertiesController < Spree::Api::BaseController
-      respond_to :json
-      before_filter :find_property, :only => [:show, :update, :destroy]
+      before_filter :find_property, only: [:show, :update, :destroy]
       def index
-        @properties = Spree::Property.
+        @properties = Spree::Property.accessible_by(current_ability, :read).
                       ransack(params[:q]).result.
                       page(params[:page]).per(params[:per_page])
         respond_with(@properties)
@@ -21,28 +20,29 @@ module Spree
       def create
         authorize! :create, Property
-        @property = Spree::Property.new(params[:property])
+        @property = Spree::Property.new(property_params)
         if @property.save
-          respond_with(@property, :status => 201, :default_template => :show)
+          respond_with(@property, status: 201, default_template: :show)
         else
           invalid_resource!(@property)
         end
       end
       def update
-        authorize! :update, Property
-        if @property && @property.update_attributes(params[:property])
-          respond_with(@property, :status => 200, :default_template => :show)
+        if @property
+          authorize! :update, @property
+          @property.update_attributes(property_params)
+          respond_with(@property, status: 200, default_template: :show)
         else
           invalid_resource!(@property)
         end
       end
       def destroy
-        authorize! :delete, Property
-        if(@property)
+        if @property
+          authorize! :destroy, @property
           @property.destroy
-          respond_with(@property, :status => 204)
+          respond_with(@property, status: 204)
         else
           invalid_resource!(@property)
         end
@@ -50,12 +50,15 @@ module Spree
       private
-      def find_property
-        @property = Spree::Property.find(params[:id])
-      rescue ActiveRecord::RecordNotFound
-        @property = Spree::Property.find_by_name!(params[:id])
-      end
+        def find_property
+          @property = Spree::Property.accessible_by(current_ability, :read).find(params[:id])
+        rescue ActiveRecord::RecordNotFound
+          @property = Spree::Property.accessible_by(current_ability, :read).find_by!(name: params[:id])
+        end
+        def property_params
+          params.require(:property).permit(permitted_property_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/return_authorizations_controller.rb CHANGED Viewed

@@ -1,46 +1,50 @@
 module Spree
   module Api
     class ReturnAuthorizationsController < Spree::Api::BaseController
-      respond_to :json
-      before_filter :authorize_admin!
+      def create
+        authorize! :create, ReturnAuthorization
+        @return_authorization = order.return_authorizations.build(return_authorization_params)
+        if @return_authorization.save
+          respond_with(@return_authorization, status: 201, default_template: :show)
+        else
+          invalid_resource!(@return_authorization)
+        end
+      end
+      def destroy
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :destroy).find(params[:id])
+        @return_authorization.destroy
+        respond_with(@return_authorization, status: 204)
+      end
       def index
-        @return_authorizations = order.return_authorizations.
+        authorize! :admin, ReturnAuthorization
+        @return_authorizations = order.return_authorizations.accessible_by(current_ability, :read).
                                  ransack(params[:q]).result.
                                  page(params[:page]).per(params[:per_page])
         respond_with(@return_authorizations)
       end
-      def show
-        @return_authorization = order.return_authorizations.find(params[:id])
-        respond_with(@return_authorization)
+      def new
+        authorize! :admin, ReturnAuthorization
       end
-      def create
-        @return_authorization = order.return_authorizations.build(params[:return_authorization], :as => :api)
-        if @return_authorization.save
-          respond_with(@return_authorization, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@return_authorization)
-        end
+      def show
+        authorize! :admin, ReturnAuthorization
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :read).find(params[:id])
+        respond_with(@return_authorization)
       end
       def update
-        @return_authorization = order.return_authorizations.find(params[:id])
-        if @return_authorization.update_attributes(params[:return_authorization])
-          respond_with(@return_authorization, :default_template => :show)
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
+        if @return_authorization.update_attributes(return_authorization_params)
+          respond_with(@return_authorization, default_template: :show)
         else
           invalid_resource!(@return_authorization)
         end
       end
-      def destroy
-        @return_authorization = order.return_authorizations.find(params[:id])
-        @return_authorization.destroy
-        respond_with(@return_authorization, :status => 204)
-      end
       def add
         @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
         @return_authorization.add_variant params[:variant_id].to_i, params[:quantity].to_i
@@ -72,11 +76,12 @@ module Spree
       private
       def order
-        @order ||= Order.find_by_number!(params[:order_id])
+        @order ||= Spree::Order.find_by!(number: params[:order_id])
+        authorize! :read, @order
       end
-      def authorize_admin!
-        authorize! :manage, Spree::ReturnAuthorization
+      def return_authorization_params
+        params.require(:return_authorization).permit(permitted_return_authorization_attributes)
       end
     end
   end