RubyGems - spree_api - Versions diffs - 2.0.13 → 2.1.0 - Mend

spree_api 2.0.13 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

data/app/controllers/spree/api/orders_controller.rb CHANGED Viewed

@@ -1,91 +1,94 @@
 module Spree
   module Api
     class OrdersController < Spree::Api::BaseController
-      respond_to :json
-      before_filter :find_and_authorize!, :except => [:index, :search, :create]
+      # Dynamically defines our stores checkout steps to ensure we check authorization on each step.
+      Order.checkout_steps.keys.each do |step|
+        define_method step do
+          find_order
+          authorize! :update, @order, params[:token]
+        end
+      end
+      def cancel
+        find_order
+        authorize! :update, @order, params[:token]
+        @order.cancel!
+        render :show
+      end
+      def create
+        authorize! :create, Order
+        @order = Order.build_from_api(current_api_user, order_params)
+        respond_with(@order, default_template: :show, status: 201)
+      end
+      def empty
+        find_order
+        @order.empty!
+        @order.update!
+        render text: nil, status: 200
+      end
       def index
-        # should probably look at turning this into a CanCan step
-        raise CanCan::AccessDenied unless current_api_user.has_spree_role?("admin")
+        authorize! :index, Order
         @orders = Order.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@orders)
       end
       def show
+        find_order
+        method = "before_#{@order.state}"
+        send(method) if respond_to?(method, true)
         respond_with(@order)
       end
-      def create
-        nested_params[:line_items_attributes] = sanitize_line_items(nested_params[:line_items_attributes])
-        @order = Order.build_from_api(current_api_user, nested_params)
-        respond_with(@order, :default_template => :show, :status => 201)
-      end
       def update
+        find_order
         # Parsing line items through as an update_attributes call in the API will result in
         # many line items for the same variant_id being created. We must be smarter about this,
         # hence the use of the update_line_items method, defined within order_decorator.rb.
-        line_items_params = sanitize_line_items(nested_params.delete("line_items_attributes"))
-        if @order.update_attributes(nested_params)
-          @order.update_line_items(line_items_params)
+        order_params.delete("line_items_attributes")
+        if @order.update_attributes(order_params)
+          @order.update_line_items(params[:order][:line_items])
           @order.line_items.reload
           @order.update!
-          respond_with(@order, :default_template => :show)
+          respond_with(@order, default_template: :show)
         else
           invalid_resource!(@order)
         end
       end
-      def cancel
-        @order.cancel!
-        render :show
-      end
-      def empty
-        @order.empty!
-        @order.update!
-        render :text => nil, :status => 200
-      end
       private
-      def nested_params
-        @nested_params ||= map_nested_attributes_keys(Order, params[:order] || {})
-      end
-      def sanitize_line_items(line_item_attributes)
-        return {} if line_item_attributes.blank?
-        line_item_attributes = line_item_attributes.map do |id, attributes|
-          attributes ||= id
+        def order_params
+          if params[:order]
+            params[:order][:line_items_attributes] = params[:order][:line_items]
+            params[:order][:ship_address_attributes] = params[:order][:ship_address] if params[:order][:ship_address]
+            params[:order][:bill_address_attributes] = params[:order][:bill_address] if params[:order][:bill_address]
+            params.require(:order).permit(permitted_order_attributes)
+          else
+            {}
+          end
+        end
-          # Faux Strong-Parameters code to strip price if user isn't an admin
-          if current_api_user.has_spree_role?("admin")
-            [id, attributes.slice(*Spree::LineItem.attr_accessible[:api])]
+        def next!(options={})
+          if @order.valid? && @order.next
+            render :show, status: options[:status] || 200
           else
-            [id, attributes.slice(*Spree::LineItem.attr_accessible[:default])]
+            render :could_not_transition, status: 422
           end
         end
-        line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
-      end
-      def find_order(lock = false)
-        @order = Spree::Order.lock(lock).find_by_number!(params[:id])
-        authorize! :update, @order, params[:order_token]
-      end
+        def find_order
+          @order = Spree::Order.find_by!(number: params[:id])
+          authorize! :update, @order, params[:order_token]
+        end
-      def next!(options={})
-        if @order.valid? && @order.next
-          render :show, :status => options[:status] || 200
-        else
-          render :could_not_transition, :status => 422
+        def before_delivery
+          @order.create_proposed_shipments
         end
-      end
-      def find_and_authorize!
-        find_order(true)
-        authorize! :read, @order
-      end
     end
   end
 end

data/app/controllers/spree/api/payments_controller.rb CHANGED Viewed

@@ -1,10 +1,9 @@
 module Spree
   module Api
     class PaymentsController < Spree::Api::BaseController
-      respond_to :json
       before_filter :find_order
-      before_filter :find_payment, only: [:update, :show, :authorize, :purchase, :capture, :void, :credit]
+      before_filter :find_payment, only: [:show, :authorize, :purchase, :capture, :void, :credit]
       def index
         @payments = @order.payments.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -12,25 +11,14 @@ module Spree
       end
       def new
-        @payment_methods = Spree::PaymentMethod.where(:environment => Rails.env)
+        @payment_methods = Spree::PaymentMethod.where(environment: Rails.env)
         respond_with(@payment_method)
       end
       def create
-        @payment = @order.payments.build(params[:payment])
+        @payment = @order.payments.build(payment_params)
         if @payment.save
-          respond_with(@payment, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@payment)
-        end
-      end
-      def update
-        authorize! params[:action], @payment
-        if !@payment.pending?
-          render 'update_forbidden', status: 403
-        elsif @payment.update_attributes(params[:payment])
-          respond_with(@payment, default_template: :show)
+          respond_with(@payment, status: 201, default_template: :show)
         else
           invalid_resource!(@payment)
         end
@@ -58,7 +46,7 @@ module Spree
       def credit
         if params[:amount].to_f > @payment.credit_allowed
-          render 'credit_over_limit', status: 422
+          render 'spree/api/payments/credit_over_limit', status: 422
         else
           perform_payment_action(:credit, params[:amount])
         end
@@ -66,26 +54,30 @@ module Spree
       private
-      def find_order
-        @order = Order.find_by_number(params[:order_id])
-        authorize! :read, @order
-      end
+        def find_order
+          @order = Spree::Order.find_by(number: params[:order_id])
+          authorize! :read, @order
+        end
-      def find_payment
-        @payment = @order.payments.find(params[:id])
-      end
+        def find_payment
+          @payment = @order.payments.find(params[:id])
+        end
-      def perform_payment_action(action, *args)
-        authorize! action, Payment
+        def perform_payment_action(action, *args)
+          authorize! action, Payment
-        begin
-          @payment.send("#{action}!", *args)
-          respond_with(@payment, :default_template => :show)
-        rescue Spree::Core::GatewayError => e
-          @error = e.message
-          render "spree/api/errors/gateway_error", :status => 422
+          begin
+            @payment.send("#{action}!", *args)
+            respond_with(@payment, :default_template => :show)
+          rescue Spree::Core::GatewayError => e
+            @error = e.message
+            render 'spree/api/errors/gateway_error', status: 422
+          end
+        end
+        def payment_params
+          params.require(:payment).permit(permitted_payment_attributes)
         end
-      end
     end
   end
 end

data/app/controllers/spree/api/product_properties_controller.rb CHANGED Viewed

@@ -1,13 +1,12 @@
 module Spree
   module Api
     class ProductPropertiesController < Spree::Api::BaseController
-      respond_to :json
       before_filter :find_product
-      before_filter :product_property, :only => [:show, :update, :destroy]
+      before_filter :product_property, only: [:show, :update, :destroy]
       def index
-        @product_properties = @product.product_properties.
+        @product_properties = @product.product_properties.accessible_by(current_ability, :read).
                               ransack(params[:q]).result.
                               page(params[:page]).per(params[:per_page])
         respond_with(@product_properties)
@@ -22,44 +21,52 @@ module Spree
       def create
         authorize! :create, ProductProperty
-        @product_property = @product.product_properties.new(params[:product_property])
+        @product_property = @product.product_properties.new(product_property_params)
         if @product_property.save
-          respond_with(@product_property, :status => 201, :default_template => :show)
+          respond_with(@product_property, status: 201, default_template: :show)
         else
           invalid_resource!(@product_property)
         end
       end
       def update
-        authorize! :update, ProductProperty
-        if @product_property  && @product_property.update_attributes(params[:product_property])
-          respond_with(@product_property, :status => 200, :default_template => :show)
+        if @product_property
+          authorize! :update, @product_property
+          @product_property.update_attributes(product_property_params)
+          respond_with(@product_property, status: 200, default_template: :show)
         else
           invalid_resource!(@product_property)
         end
       end
       def destroy
-        authorize! :delete, ProductProperty
-        if(@product_property)
+        if @product_property
+          authorize! :destroy, @product_property
           @product_property.destroy
-          respond_with(@product_property, :status => 204)
+          respond_with(@product_property, status: 204)
         else
           invalid_resource!(@product_property)
         end
       end
       private
         def find_product
           @product = super(params[:product_id])
+          authorize! :read, @product
         end
         def product_property
           if @product
-            @product_property ||= @product.product_properties.find_by_id(params[:id])
-            @product_property ||= @product.product_properties.joins(:property).where('spree_properties.name' => params[:id]).readonly(false).first
+            @product_property ||= @product.product_properties.find_by(id: params[:id])
+            @product_property ||= @product.product_properties.includes(:property).where(spree_properties: { name: params[:id] }).first
+            authorize! :read, @product_property
           end
         end
+        def product_property_params
+          params.require(:product_property).permit(permitted_product_properties_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/products_controller.rb CHANGED Viewed

@@ -1,22 +1,20 @@
 module Spree
   module Api
     class ProductsController < Spree::Api::BaseController
-      respond_to :json
       def index
         if params[:ids]
-          @products = product_scope.where(:id => params[:ids].split(","))
+          @products = product_scope.where(:id => params[:ids])
         else
           @products = product_scope.ransack(params[:q]).result
         end
         @products = @products.page(params[:page]).per(params[:per_page])
-        respond_with(@products)
       end
       def show
         @product = find_product(params[:id])
+        expires_in 3.minutes
         respond_with(@product)
       end
@@ -26,28 +24,9 @@ module Spree
       def create
         authorize! :create, Product
         params[:product][:available_on] ||= Time.now
-        variants_attributes = params[:product].delete(:variants_attributes) || []
-        option_type_attributes = params[:product].delete(:option_types) || []
-        set_up_shipping_category
-        @product = Product.new(params[:product])
         begin
+          @product = Product.new(product_params)
           if @product.save
-            variants_attributes.each do |variant_attribute|
-              variant = @product.variants.new
-              variant.update_attributes(variant_attribute)
-            end
-            option_type_attributes.each do |name|
-              option_type = OptionType.where(name: name).first_or_initialize do |option_type|
-                option_type.presentation = name
-                option_type.save!
-              end
-              @product.option_types << option_type unless @product.option_types.include?(option_type)
-            end
             respond_with(@product, :status => 201, :default_template => :show)
           else
             invalid_resource!(@product)
@@ -56,36 +35,12 @@ module Spree
           @product.permalink = nil
           retry
         end
-      end
+      end
       def update
-        authorize! :update, Product
-        variants_attributes = params[:product].delete(:variants_attributes) || []
-        option_type_attributes = params[:product].delete(:option_types) || []
-        set_up_shipping_category
         @product = find_product(params[:id])
-        if @product.update_attributes(params[:product])
-          variants_attributes.each do |variant_attribute|
-            # update the variant if the id is present in the payload
-            if variant_attribute['id'].present?
-              @product.variants.find(variant_attribute['id'].to_i).update_attributes(variant_attribute)
-            else
-              variant = @product.variants.new
-              variant.update_attributes(variant_attribute)
-            end
-          end
-          option_type_attributes.each do |name|
-            option_type = OptionType.where(name: name).first_or_initialize do |option_type|
-              option_type.presentation = name
-              option_type.save!
-            end
-            @product.option_types << option_type unless @product.option_types.include?(option_type)
-          end
+        authorize! :update, @product
+        if @product.update_attributes(product_params)
           respond_with(@product, :status => 200, :default_template => :show)
         else
           invalid_resource!(@product)
@@ -93,18 +48,16 @@ module Spree
       end
       def destroy
-        authorize! :delete, Product
         @product = find_product(params[:id])
-        @product.destroy
+        authorize! :destroy, @product
+        @product.update_attribute(:deleted_at, Time.now)
+        @product.variants_including_master.update_all(:deleted_at => Time.now)
         respond_with(@product, :status => 204)
       end
       private
-        def set_up_shipping_category
-          if shipping_category = params[:product].delete(:shipping_category)
-            id = ShippingCategory.find_or_create_by_name(shipping_category).id
-            params[:product][:shipping_category_id] = id
-          end
+        def product_params
+          params.require(:product).permit(permitted_product_attributes)
         end
     end
   end

data/app/controllers/spree/api/properties_controller.rb CHANGED Viewed

@@ -1,12 +1,11 @@
 module Spree
   module Api
     class PropertiesController < Spree::Api::BaseController
-      respond_to :json
-      before_filter :find_property, :only => [:show, :update, :destroy]
+      before_filter :find_property, only: [:show, :update, :destroy]
       def index
-        @properties = Spree::Property.
+        @properties = Spree::Property.accessible_by(current_ability, :read).
                       ransack(params[:q]).result.
                       page(params[:page]).per(params[:per_page])
         respond_with(@properties)
@@ -21,28 +20,29 @@ module Spree
       def create
         authorize! :create, Property
-        @property = Spree::Property.new(params[:property])
+        @property = Spree::Property.new(property_params)
         if @property.save
-          respond_with(@property, :status => 201, :default_template => :show)
+          respond_with(@property, status: 201, default_template: :show)
         else
           invalid_resource!(@property)
         end
       end
       def update
-        authorize! :update, Property
-        if @property && @property.update_attributes(params[:property])
-          respond_with(@property, :status => 200, :default_template => :show)
+        if @property
+          authorize! :update, @property
+          @property.update_attributes(property_params)
+          respond_with(@property, status: 200, default_template: :show)
         else
           invalid_resource!(@property)
         end
       end
       def destroy
-        authorize! :delete, Property
-        if(@property)
+        if @property
+          authorize! :destroy, @property
           @property.destroy
-          respond_with(@property, :status => 204)
+          respond_with(@property, status: 204)
         else
           invalid_resource!(@property)
         end
@@ -50,12 +50,15 @@ module Spree
       private
-      def find_property
-        @property = Spree::Property.find(params[:id])
-      rescue ActiveRecord::RecordNotFound
-        @property = Spree::Property.find_by_name!(params[:id])
-      end
+        def find_property
+          @property = Spree::Property.accessible_by(current_ability, :read).find(params[:id])
+        rescue ActiveRecord::RecordNotFound
+          @property = Spree::Property.accessible_by(current_ability, :read).find_by!(name: params[:id])
+        end
+        def property_params
+          params.require(:property).permit(permitted_property_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/return_authorizations_controller.rb CHANGED Viewed

@@ -1,46 +1,50 @@
 module Spree
   module Api
     class ReturnAuthorizationsController < Spree::Api::BaseController
-      respond_to :json
-      before_filter :authorize_admin!
+      def create
+        authorize! :create, ReturnAuthorization
+        @return_authorization = order.return_authorizations.build(return_authorization_params)
+        if @return_authorization.save
+          respond_with(@return_authorization, status: 201, default_template: :show)
+        else
+          invalid_resource!(@return_authorization)
+        end
+      end
+      def destroy
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :destroy).find(params[:id])
+        @return_authorization.destroy
+        respond_with(@return_authorization, status: 204)
+      end
       def index
-        @return_authorizations = order.return_authorizations.
+        authorize! :admin, ReturnAuthorization
+        @return_authorizations = order.return_authorizations.accessible_by(current_ability, :read).
                                  ransack(params[:q]).result.
                                  page(params[:page]).per(params[:per_page])
         respond_with(@return_authorizations)
       end
-      def show
-        @return_authorization = order.return_authorizations.find(params[:id])
-        respond_with(@return_authorization)
+      def new
+        authorize! :admin, ReturnAuthorization
       end
-      def create
-        @return_authorization = order.return_authorizations.build(params[:return_authorization], :as => :api)
-        if @return_authorization.save
-          respond_with(@return_authorization, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@return_authorization)
-        end
+      def show
+        authorize! :admin, ReturnAuthorization
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :read).find(params[:id])
+        respond_with(@return_authorization)
       end
       def update
-        @return_authorization = order.return_authorizations.find(params[:id])
-        if @return_authorization.update_attributes(params[:return_authorization])
-          respond_with(@return_authorization, :default_template => :show)
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
+        if @return_authorization.update_attributes(return_authorization_params)
+          respond_with(@return_authorization, default_template: :show)
         else
           invalid_resource!(@return_authorization)
         end
       end
-      def destroy
-        @return_authorization = order.return_authorizations.find(params[:id])
-        @return_authorization.destroy
-        respond_with(@return_authorization, :status => 204)
-      end
       def add
         @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
         @return_authorization.add_variant params[:variant_id].to_i, params[:quantity].to_i
@@ -72,11 +76,12 @@ module Spree
       private
       def order
-        @order ||= Order.find_by_number!(params[:order_id])
+        @order ||= Spree::Order.find_by!(number: params[:order_id])
+        authorize! :read, @order
       end
-      def authorize_admin!
-        authorize! :manage, Spree::ReturnAuthorization
+      def return_authorization_params
+        params.require(:return_authorization).permit(permitted_return_authorization_attributes)
       end
     end
   end