RubyGems - spree_api - Versions diffs - 2.0.13 → 2.1.0 - Mend

spree_api 2.0.13 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

data/app/controllers/spree/api/shipments_controller.rb CHANGED Viewed

@@ -1,61 +1,58 @@
 module Spree
   module Api
     class ShipmentsController < Spree::Api::BaseController
-      respond_to :json
       before_filter :find_order
-      before_filter :find_and_update_shipment, :only => [:ship, :ready, :add, :remove]
+      before_filter :find_and_update_shipment, only: [:ship, :ready, :add, :remove]
       def create
+        authorize! :create, Shipment
         variant = Spree::Variant.find(params[:variant_id])
         quantity = params[:quantity].to_i
-        @shipment = @order.shipments.create(:stock_location_id => params[:stock_location_id])
+        @shipment = @order.shipments.create(stock_location_id: params[:stock_location_id])
         @order.contents.add(variant, quantity, nil, @shipment)
         @shipment.refresh_rates
         @shipment.save!
-        respond_with(@shipment.reload, :default_template => :show)
+        respond_with(@shipment.reload, default_template: :show)
       end
       def update
-        authorize! :read, Shipment
-        @shipment = @order.shipments.find_by_number!(params[:id])
-        params[:shipment] ||= []
+        @shipment = @order.shipments.accessible_by(current_ability, :update).find_by!(number: params[:id])
         unlock = params[:shipment].delete(:unlock)
         if unlock == 'yes'
           @shipment.adjustment.open
         end
-        @shipment.update_attributes(params[:shipment])
+        @shipment.update_attributes(shipment_params)
         if unlock == 'yes'
           @shipment.adjustment.close
         end
         @shipment.reload
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
       def ready
-        authorize! :read, Shipment
         unless @shipment.ready?
           if @shipment.can_ready?
             @shipment.ready!
           else
-            render "spree/api/shipments/cannot_ready_shipment", :status => 422 and return
+            render 'spree/api/shipments/cannot_ready_shipment', status: 422 and return
           end
         end
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
       def ship
-        authorize! :read, Shipment
         unless @shipment.shipped?
           @shipment.ship!
         end
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
       def add
@@ -64,7 +61,7 @@ module Spree
         @order.contents.add(variant, quantity, nil, @shipment)
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
       def remove
@@ -73,21 +70,29 @@ module Spree
         @order.contents.remove(variant, quantity, @shipment)
         @shipment.reload if @shipment.persisted?
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
       private
       def find_order
-        @order = Spree::Order.find_by_number!(params[:order_id])
+        @order = Spree::Order.find_by!(number: params[:order_id])
         authorize! :read, @order
       end
       def find_and_update_shipment
-        @shipment = @order.shipments.find_by_number!(params[:id])
-        @shipment.update_attributes(params[:shipment])
+        @shipment = @order.shipments.accessible_by(current_ability, :update).find_by!(number: params[:id])
+        @shipment.update_attributes(shipment_params)
         @shipment.reload
       end
+      def shipment_params
+        if params[:shipment] && !params[:shipment].empty?
+          params.require(:shipment).permit(permitted_shipment_attributes)
+        else
+          {}
+        end
+      end
     end
   end
 end

data/app/controllers/spree/api/states_controller.rb CHANGED Viewed

@@ -1,18 +1,20 @@
 module Spree
   module Api
     class StatesController < Spree::Api::BaseController
-      skip_before_filter :check_for_user_or_api_key
-      skip_before_filter :authenticate_user
+      skip_before_filter :set_expiry
       def index
         @states = scope.ransack(params[:q]).result.
-                  includes(:country).order("#{Spree::State.quoted_table_name}.name ASC")
+                    includes(:country).order('name ASC')
         if params[:page] || params[:per_page]
           @states = @states.page(params[:page]).per(params[:per_page])
         end
-        respond_with(@states)
+        state = @states.last
+        if stale?(state)
+          respond_with(@states)
+        end
       end
       def show
@@ -23,10 +25,10 @@ module Spree
       private
         def scope
           if params[:country_id]
-            @country = Country.find(params[:country_id])
-            return @country.states
+            @country = Country.accessible_by(current_ability, :read).find(params[:country_id])
+            return @country.states.accessible_by(current_ability, :read)
           else
-            return State.scoped
+            return State.accessible_by(current_ability, :read)
           end
         end
     end

data/app/controllers/spree/api/stock_items_controller.rb CHANGED Viewed

@@ -4,13 +4,11 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
       def index
-        authorize! :read, StockItem
         @stock_items = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_items)
       end
       def show
-        authorize! :read, StockItem
         @stock_item = scope.find(params[:id])
         respond_with(@stock_item)
       end
@@ -21,10 +19,9 @@ module Spree
         count_on_hand = 0
         if params[:stock_item].has_key?(:count_on_hand)
           count_on_hand = params[:stock_item][:count_on_hand].to_i
-          params[:stock_item].delete(:count_on_hand)
         end
-        @stock_item = scope.new(params[:stock_item])
+        @stock_item = scope.new(stock_item_params)
         if @stock_item.save
           @stock_item.adjust_count_on_hand(count_on_hand)
           respond_with(@stock_item, status: 201, default_template: :show)
@@ -34,8 +31,7 @@ module Spree
       end
       def update
-        authorize! :update, StockItem
-        @stock_item = StockItem.find(params[:id])
+        @stock_item = StockItem.accessible_by(current_ability, :update).find(params[:id])
         count_on_hand = 0
         if params[:stock_item].has_key?(:count_on_hand)
@@ -54,8 +50,7 @@ module Spree
       end
       def destroy
-        authorize! :delete, StockItem
-        @stock_item = StockItem.find(params[:id])
+        @stock_item = StockItem.accessible_by(current_ability, :destroy).find(params[:id])
         @stock_item.destroy
         respond_with(@stock_item, status: 204)
       end
@@ -64,12 +59,15 @@ module Spree
       def stock_location
         render 'spree/api/shared/stock_location_required', status: 422 and return unless params[:stock_location_id]
-        @stock_location ||= StockLocation.find(params[:stock_location_id])
+        @stock_location ||= StockLocation.accessible_by(current_ability, :read).find(params[:stock_location_id])
       end
       def scope
-        includes = {:variant => [{ :option_values => :option_type }, :product] }
-        @stock_location.stock_items.includes(includes)
+        @stock_location.stock_items.accessible_by(current_ability, :read).includes(:variant => :product)
+      end
+      def stock_item_params
+        params.require(:stock_item).permit(permitted_stock_item_attributes)
       end
     end
   end

data/app/controllers/spree/api/stock_locations_controller.rb CHANGED Viewed

@@ -2,19 +2,17 @@ module Spree
   module Api
     class StockLocationsController < Spree::Api::BaseController
       def index
-        authorize! :read, StockLocation
         @stock_locations = StockLocation.accessible_by(current_ability, :read).order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_locations)
       end
       def show
-        authorize! :read, StockLocation
         respond_with(stock_location)
       end
       def create
         authorize! :create, StockLocation
-        @stock_location = StockLocation.new(params[:stock_location])
+        @stock_location = StockLocation.new(stock_location_params)
         if @stock_location.save
           respond_with(@stock_location, status: 201, default_template: :show)
         else
@@ -23,8 +21,8 @@ module Spree
       end
       def update
-        authorize! :update, StockLocation
-        if stock_location.update_attributes(params[:stock_location])
+        authorize! :update, stock_location
+        if stock_location.update_attributes(stock_location_params)
           respond_with(stock_location, status: 200, default_template: :show)
         else
           invalid_resource!(stock_location)
@@ -32,7 +30,7 @@ module Spree
       end
       def destroy
-        authorize! :delete, StockLocation
+        authorize! :destroy, stock_location
         stock_location.destroy
         respond_with(stock_location, :status => 204)
       end
@@ -40,7 +38,11 @@ module Spree
       private
       def stock_location
-        @stock_location ||= StockLocation.find(params[:id])
+        @stock_location ||= StockLocation.accessible_by(current_ability, :read).find(params[:id])
+      end
+      def stock_location_params
+        params.require(:stock_location).permit(permitted_stock_location_attributes)
       end
     end
   end

data/app/controllers/spree/api/stock_movements_controller.rb CHANGED Viewed

@@ -4,20 +4,18 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
       def index
-        authorize! :read, StockMovement
         @stock_movements = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_movements)
       end
       def show
-        authorize! :read, StockMovement
         @stock_movement = scope.find(params[:id])
         respond_with(@stock_movement)
       end
       def create
         authorize! :create, StockMovement
-        @stock_movement = scope.new(params[:stock_movement])
+        @stock_movement = scope.new(stock_movement_params)
         if @stock_movement.save
           respond_with(@stock_movement, status: 201, default_template: :show)
         else
@@ -29,11 +27,15 @@ module Spree
       def stock_location
         render 'spree/api/shared/stock_location_required', status: 422 and return unless params[:stock_location_id]
-        @stock_location ||= StockLocation.find(params[:stock_location_id])
+        @stock_location ||= StockLocation.accessible_by(current_ability, :read).find(params[:stock_location_id])
       end
       def scope
-        @stock_location.stock_movements
+        @stock_location.stock_movements.accessible_by(current_ability, :read)
+      end
+      def stock_movement_params
+        params.require(:stock_movement).permit(permitted_stock_movement_attributes)
       end
     end
   end

data/app/controllers/spree/api/taxonomies_controller.rb CHANGED Viewed

@@ -1,17 +1,16 @@
 module Spree
   module Api
     class TaxonomiesController < Spree::Api::BaseController
-      respond_to :json
       def index
-        @taxonomies = Taxonomy.order('name').includes(:root => :children).
+        @taxonomies = Taxonomy.accessible_by(current_ability, :read).order('name').includes(:root => :children).
                       ransack(params[:q]).result.
                       page(params[:page]).per(params[:per_page])
         respond_with(@taxonomies)
       end
       def show
-        @taxonomy = Taxonomy.find(params[:id])
+        @taxonomy = Taxonomy.accessible_by(current_ability, :read).find(params[:id])
         respond_with(@taxonomy)
       end
@@ -22,7 +21,7 @@ module Spree
       def create
         authorize! :create, Taxonomy
-        @taxonomy = Taxonomy.new(params[:taxonomy])
+        @taxonomy = Taxonomy.new(taxonomy_params)
         if @taxonomy.save
           respond_with(@taxonomy, :status => 201, :default_template => :show)
         else
@@ -31,8 +30,8 @@ module Spree
       end
       def update
-        authorize! :update, Taxonomy
-        if taxonomy.update_attributes(params[:taxonomy])
+        authorize! :update, taxonomy
+        if taxonomy.update_attributes(taxonomy_params)
           respond_with(taxonomy, :status => 200, :default_template => :show)
         else
           invalid_resource!(taxonomy)
@@ -40,7 +39,7 @@ module Spree
       end
       def destroy
-        authorize! :delete, Taxonomy
+        authorize! :destroy, taxonomy
         taxonomy.destroy
         respond_with(taxonomy, :status => 204)
       end
@@ -48,9 +47,16 @@ module Spree
       private
       def taxonomy
-        @taxonomy ||= Taxonomy.find(params[:id])
+        @taxonomy ||= Taxonomy.accessible_by(current_ability, :read).find(params[:id])
       end
+      def taxonomy_params
+        if params[:taxonomy] && !params[:taxonomy].empty?
+          params.require(:taxonomy).permit(permitted_taxonomy_attributes)
+        else
+          {}
+        end
+      end
     end
   end
 end

data/app/controllers/spree/api/taxons_controller.rb CHANGED Viewed

@@ -1,16 +1,14 @@
 module Spree
   module Api
     class TaxonsController < Spree::Api::BaseController
-      respond_to :json
       def index
         if taxonomy
           @taxons = taxonomy.root.children
         else
           if params[:ids]
-            @taxons = Taxon.accessible_by(current_ability, :read).where(:id => params[:ids].split(","))
+            @taxons = Spree::Taxon.accessible_by(current_ability, :read).where(id: params[:ids].split(','))
           else
-            @taxons = Taxon.accessible_by(current_ability, :read).order(:taxonomy_id, :lft).ransack(params[:q]).result
+            @taxons = Spree::Taxon.accessible_by(current_ability, :read).order(:taxonomy_id, :lft).ransack(params[:q]).result
           end
         end
@@ -29,51 +27,58 @@ module Spree
       def create
         authorize! :create, Taxon
-        @taxon = Taxon.new(params[:taxon])
+        @taxon = Spree::Taxon.new(taxon_params)
         @taxon.taxonomy_id = params[:taxonomy_id]
-        taxonomy = Taxonomy.find_by_id(params[:taxonomy_id])
+        taxonomy = Spree::Taxonomy.find_by(id: params[:taxonomy_id])
         if taxonomy.nil?
-          @taxon.errors[:taxonomy_id] = I18n.t(:invalid_taxonomy_id, :scope => 'spree.api')
+          @taxon.errors[:taxonomy_id] = I18n.t(:invalid_taxonomy_id, scope: 'spree.api')
           invalid_resource!(@taxon) and return
         end
         @taxon.parent_id = taxonomy.root.id unless params[:taxon][:parent_id]
         if @taxon.save
-          respond_with(@taxon, :status => 201, :default_template => :show)
+          respond_with(@taxon, status: 201, default_template: :show)
         else
           invalid_resource!(@taxon)
         end
       end
       def update
-        authorize! :update, Taxon
-        if taxon.update_attributes(params[:taxon])
-          respond_with(taxon, :status => 200, :default_template => :show)
+        authorize! :update, taxon
+        if taxon.update_attributes(taxon_params)
+          respond_with(taxon, status: 200, default_template: :show)
         else
           invalid_resource!(taxon)
         end
       end
       def destroy
-        authorize! :delete, Taxon
+        authorize! :destroy, taxon
         taxon.destroy
-        respond_with(taxon, :status => 204)
+        respond_with(taxon, status: 204)
       end
       private
-      def taxonomy
-        if params[:taxonomy_id].present?
-          @taxonomy ||= Taxonomy.find(params[:taxonomy_id])
+        def taxonomy
+          if params[:taxonomy_id].present?
+            @taxonomy ||= Spree::Taxonomy.accessible_by(current_ability, :read).find(params[:taxonomy_id])
+          end
         end
-      end
-      def taxon
-        @taxon ||= taxonomy.taxons.find(params[:id])
-      end
+        def taxon
+          @taxon ||= taxonomy.taxons.accessible_by(current_ability, :read).find(params[:id])
+        end
+        def taxon_params
+          if params[:taxon] && !params[:taxon].empty?
+            params.require(:taxon).permit(permitted_taxon_attributes)
+          else
+            {}
+          end
+        end
     end
   end
 end

data/app/controllers/spree/api/users_controller.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 module Spree
   module Api
     class UsersController < Spree::Api::BaseController
-      respond_to :json
       def index
         @users = Spree.user_class.accessible_by(current_ability,:read).ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -9,7 +8,6 @@ module Spree
       end
       def show
-        authorize! :show, user
         respond_with(user)
       end
@@ -18,7 +16,7 @@ module Spree
       def create
         authorize! :create, Spree.user_class
-        @user = Spree.user_class.new(params[:user])
+        @user = Spree.user_class.new(user_params)
         if @user.save
           respond_with(@user, :status => 201, :default_template => :show)
         else
@@ -28,7 +26,7 @@ module Spree
       def update
         authorize! :update, user
-        if user.update_attributes(params[:user])
+        if user.update_attributes(user_params)
           respond_with(user, :status => 200, :default_template => :show)
         else
           invalid_resource!(user)
@@ -44,7 +42,11 @@ module Spree
       private
       def user
-        @user ||= Spree.user_class.find(params[:id])
+        @user ||= Spree.user_class.accessible_by(current_ability, :read).find(params[:id])
+      end
+      def user_params
+        params.require(:user).permit(permitted_user_attributes)
       end
     end
   end

data/app/controllers/spree/api/variants_controller.rb CHANGED Viewed

@@ -1,68 +1,66 @@
 module Spree
   module Api
     class VariantsController < Spree::Api::BaseController
-      respond_to :json
       before_filter :product
+      def create
+        authorize! :create, Variant
+        @variant = scope.new(variant_params)
+        if @variant.save
+          respond_with(@variant, status: 201, default_template: :show)
+        else
+          invalid_resource!(@variant)
+        end
+      end
+      def destroy
+        @variant = scope.accessible_by(current_ability, :destroy).find(params[:id])
+        @variant.destroy
+        respond_with(@variant, status: 204)
+      end
       def index
-        @variants = scope.includes(:option_values, :stock_items, :product, :images, :prices).ransack(params[:q]).result.
+        @variants = scope.includes(:option_values).ransack(params[:q]).result.
           page(params[:page]).per(params[:per_page])
         respond_with(@variants)
       end
-      def show
-        @variant = scope.includes(:option_values).find(params[:id])
-        respond_with(@variant)
-      end
       def new
       end
-      def create
-        authorize! :create, Variant
-        @variant = scope.new(params[:variant])
-        if @variant.save
-          respond_with(@variant, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@variant)
-        end
+      def show
+        @variant = scope.includes(:option_values).find(params[:id])
+        respond_with(@variant)
       end
       def update
-        authorize! :update, Variant
-        @variant = scope.find(params[:id])
-        if @variant.update_attributes(params[:variant])
-          respond_with(@variant, :status => 200, :default_template => :show)
+        @variant = scope.accessible_by(current_ability, :update).find(params[:id])
+        if @variant.update_attributes(variant_params)
+          respond_with(@variant, status: 200, default_template: :show)
         else
           invalid_resource!(@product)
         end
       end
-      def destroy
-        authorize! :delete, Variant
-        @variant = scope.find(params[:id])
-        @variant.destroy
-        respond_with(@variant, :status => 204)
-      end
       private
         def product
-          @product ||= Spree::Product.find_by_permalink(params[:product_id]) if params[:product_id]
+          @product ||= Spree::Product.accessible_by(current_ability, :read).find_by(permalink: params[:product_id]) if params[:product_id]
         end
         def scope
           if @product
-            unless current_api_user.has_spree_role?("admin") || params[:show_deleted]
-              variants = @product.variants_including_master
+            unless current_api_user.has_spree_role?('admin') || params[:show_deleted]
+              variants = @product.variants_including_master.accessible_by(current_ability, :read)
             else
-              variants = @product.variants_including_master.with_deleted
+              variants = @product.variants_including_master.with_deleted.accessible_by(current_ability, :read)
             end
           else
-            variants = Variant.scoped
-            if current_api_user.has_spree_role?("admin")
+            variants = Variant.accessible_by(current_ability, :read)
+            if current_api_user.has_spree_role?('admin')
               unless params[:show_deleted]
-                variants = Variant.active
+                variants = Variant.accessible_by(current_ability, :read).active
               end
             else
               variants = variants.active
@@ -70,6 +68,10 @@ module Spree
           end
           variants
         end
+        def variant_params
+          params.require(:variant).permit(permitted_variant_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/zones_controller.rb CHANGED Viewed

@@ -2,15 +2,6 @@ module Spree
   module Api
     class ZonesController < Spree::Api::BaseController
-      def index
-        @zones = Zone.order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
-        respond_with(@zones)
-      end
-      def show
-        respond_with(zone)
-      end
       def create
         authorize! :create, Zone
         @zone = Zone.new(map_nested_attributes_keys(Spree::Zone, params[:zone]))
@@ -21,8 +12,23 @@ module Spree
         end
       end
+      def destroy
+        authorize! :destroy, zone
+        zone.destroy
+        respond_with(zone, :status => 204)
+      end
+      def index
+        @zones = Zone.accessible_by(current_ability, :read).order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+        respond_with(@zones)
+      end
+      def show
+        respond_with(zone)
+      end
       def update
-        authorize! :update, Zone
+        authorize! :update, zone
         if zone.update_attributes(map_nested_attributes_keys(Spree::Zone, params[:zone]))
           respond_with(zone, :status => 200, :default_template => :show)
         else
@@ -30,15 +36,10 @@ module Spree
         end
       end
-      def destroy
-        authorize! :delete, Zone
-        zone.destroy
-        respond_with(zone, :status => 204)
-      end
       private
       def zone
-        @zone ||= Spree::Zone.find(params[:id])
+        @zone ||= Spree::Zone.accessible_by(current_ability, :read).find(params[:id])
       end
     end
   end