spree_api 2.0.13 → 2.1.0

data/app/controllers/spree/api/shipments_controller.rb

@@ -1,61 +1,58 @@
 module Spree
   module Api
     class ShipmentsController < Spree::Api::BaseController
-      respond_to :json
 
       before_filter :find_order
-      before_filter :find_and_update_shipment, :only => [:ship, :ready, :add, :remove]
+      before_filter :find_and_update_shipment, only: [:ship, :ready, :add, :remove]
 
       def create
+        authorize! :create, Shipment
         variant = Spree::Variant.find(params[:variant_id])
         quantity = params[:quantity].to_i
-        @shipment = @order.shipments.create(:stock_location_id => params[:stock_location_id])
+        @shipment = @order.shipments.create(stock_location_id: params[:stock_location_id])
         @order.contents.add(variant, quantity, nil, @shipment)
 
         @shipment.refresh_rates
         @shipment.save!
 
-        respond_with(@shipment.reload, :default_template => :show)
+        respond_with(@shipment.reload, default_template: :show)
       end
 
       def update
-        authorize! :read, Shipment
-        @shipment = @order.shipments.find_by_number!(params[:id])
-        params[:shipment] ||= []
+        @shipment = @order.shipments.accessible_by(current_ability, :update).find_by!(number: params[:id])
+
         unlock = params[:shipment].delete(:unlock)
 
         if unlock == 'yes'
           @shipment.adjustment.open
         end
 
-        @shipment.update_attributes(params[:shipment])
+        @shipment.update_attributes(shipment_params)
 
         if unlock == 'yes'
           @shipment.adjustment.close
         end
 
         @shipment.reload
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
 
       def ready
-        authorize! :read, Shipment
         unless @shipment.ready?
           if @shipment.can_ready?
             @shipment.ready!
           else
-            render "spree/api/shipments/cannot_ready_shipment", :status => 422 and return
+            render 'spree/api/shipments/cannot_ready_shipment', status: 422 and return
           end
         end
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
 
       def ship
-        authorize! :read, Shipment
         unless @shipment.shipped?
           @shipment.ship!
         end
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
 
       def add
@@ -64,7 +61,7 @@ module Spree
 
         @order.contents.add(variant, quantity, nil, @shipment)
 
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
 
       def remove
@@ -73,21 +70,29 @@ module Spree
 
         @order.contents.remove(variant, quantity, @shipment)
         @shipment.reload if @shipment.persisted?
-        respond_with(@shipment, :default_template => :show)
+        respond_with(@shipment, default_template: :show)
       end
 
       private
 
       def find_order
-        @order = Spree::Order.find_by_number!(params[:order_id])
+        @order = Spree::Order.find_by!(number: params[:order_id])
         authorize! :read, @order
       end
 
       def find_and_update_shipment
-        @shipment = @order.shipments.find_by_number!(params[:id])
-        @shipment.update_attributes(params[:shipment])
+        @shipment = @order.shipments.accessible_by(current_ability, :update).find_by!(number: params[:id])
+        @shipment.update_attributes(shipment_params)
         @shipment.reload
       end
+
+      def shipment_params
+        if params[:shipment] && !params[:shipment].empty?
+          params.require(:shipment).permit(permitted_shipment_attributes)
+        else
+          {}
+        end
+      end
     end
   end
 end

data/app/controllers/spree/api/states_controller.rb

@@ -1,18 +1,20 @@
 module Spree
   module Api
     class StatesController < Spree::Api::BaseController
-      skip_before_filter :check_for_user_or_api_key
-      skip_before_filter :authenticate_user
+      skip_before_filter :set_expiry
 
       def index
         @states = scope.ransack(params[:q]).result.
-                  includes(:country).order("#{Spree::State.quoted_table_name}.name ASC")
+                    includes(:country).order('name ASC')
 
         if params[:page] || params[:per_page]
           @states = @states.page(params[:page]).per(params[:per_page])
         end
 
-        respond_with(@states)
+        state = @states.last
+        if stale?(state)
+          respond_with(@states)
+        end
       end
 
       def show
@@ -23,10 +25,10 @@ module Spree
       private
         def scope
           if params[:country_id]
-            @country = Country.find(params[:country_id])
-            return @country.states
+            @country = Country.accessible_by(current_ability, :read).find(params[:country_id])
+            return @country.states.accessible_by(current_ability, :read)
           else
-            return State.scoped
+            return State.accessible_by(current_ability, :read)
           end
         end
     end

data/app/controllers/spree/api/stock_items_controller.rb

@@ -4,13 +4,11 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
 
       def index
-        authorize! :read, StockItem
         @stock_items = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_items)
       end
 
       def show
-        authorize! :read, StockItem
         @stock_item = scope.find(params[:id])
         respond_with(@stock_item)
       end
@@ -21,10 +19,9 @@ module Spree
         count_on_hand = 0
         if params[:stock_item].has_key?(:count_on_hand)
           count_on_hand = params[:stock_item][:count_on_hand].to_i
-          params[:stock_item].delete(:count_on_hand)
         end
 
-        @stock_item = scope.new(params[:stock_item])
+        @stock_item = scope.new(stock_item_params)
         if @stock_item.save
           @stock_item.adjust_count_on_hand(count_on_hand)
           respond_with(@stock_item, status: 201, default_template: :show)
@@ -34,8 +31,7 @@ module Spree
       end
 
       def update
-        authorize! :update, StockItem
-        @stock_item = StockItem.find(params[:id])
+        @stock_item = StockItem.accessible_by(current_ability, :update).find(params[:id])
 
         count_on_hand = 0
         if params[:stock_item].has_key?(:count_on_hand)
@@ -54,8 +50,7 @@ module Spree
       end
 
       def destroy
-        authorize! :delete, StockItem
-        @stock_item = StockItem.find(params[:id])
+        @stock_item = StockItem.accessible_by(current_ability, :destroy).find(params[:id])
         @stock_item.destroy
         respond_with(@stock_item, status: 204)
       end
@@ -64,12 +59,15 @@ module Spree
 
       def stock_location
         render 'spree/api/shared/stock_location_required', status: 422 and return unless params[:stock_location_id]
-        @stock_location ||= StockLocation.find(params[:stock_location_id])
+        @stock_location ||= StockLocation.accessible_by(current_ability, :read).find(params[:stock_location_id])
       end
 
       def scope
-        includes = {:variant => [{ :option_values => :option_type }, :product] }
-        @stock_location.stock_items.includes(includes)
+        @stock_location.stock_items.accessible_by(current_ability, :read).includes(:variant => :product)
+      end
+
+      def stock_item_params
+        params.require(:stock_item).permit(permitted_stock_item_attributes)
       end
     end
   end

data/app/controllers/spree/api/stock_locations_controller.rb

@@ -2,19 +2,17 @@ module Spree
   module Api
     class StockLocationsController < Spree::Api::BaseController
       def index
-        authorize! :read, StockLocation
         @stock_locations = StockLocation.accessible_by(current_ability, :read).order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_locations)
       end
 
       def show
-        authorize! :read, StockLocation
         respond_with(stock_location)
       end
 
       def create
         authorize! :create, StockLocation
-        @stock_location = StockLocation.new(params[:stock_location])
+        @stock_location = StockLocation.new(stock_location_params)
         if @stock_location.save
           respond_with(@stock_location, status: 201, default_template: :show)
         else
@@ -23,8 +21,8 @@ module Spree
       end
 
       def update
-        authorize! :update, StockLocation
-        if stock_location.update_attributes(params[:stock_location])
+        authorize! :update, stock_location
+        if stock_location.update_attributes(stock_location_params)
           respond_with(stock_location, status: 200, default_template: :show)
         else
           invalid_resource!(stock_location)
@@ -32,7 +30,7 @@ module Spree
       end
 
       def destroy
-        authorize! :delete, StockLocation
+        authorize! :destroy, stock_location
         stock_location.destroy
         respond_with(stock_location, :status => 204)
       end
@@ -40,7 +38,11 @@ module Spree
       private
 
       def stock_location
-        @stock_location ||= StockLocation.find(params[:id])
+        @stock_location ||= StockLocation.accessible_by(current_ability, :read).find(params[:id])
+      end
+
+      def stock_location_params
+        params.require(:stock_location).permit(permitted_stock_location_attributes)
       end
     end
   end

data/app/controllers/spree/api/stock_movements_controller.rb

@@ -4,20 +4,18 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
 
       def index
-        authorize! :read, StockMovement
         @stock_movements = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_movements)
       end
 
       def show
-        authorize! :read, StockMovement
         @stock_movement = scope.find(params[:id])
         respond_with(@stock_movement)
       end
 
       def create
         authorize! :create, StockMovement
-        @stock_movement = scope.new(params[:stock_movement])
+        @stock_movement = scope.new(stock_movement_params)
         if @stock_movement.save
           respond_with(@stock_movement, status: 201, default_template: :show)
         else
@@ -29,11 +27,15 @@ module Spree
 
       def stock_location
         render 'spree/api/shared/stock_location_required', status: 422 and return unless params[:stock_location_id]
-        @stock_location ||= StockLocation.find(params[:stock_location_id])
+        @stock_location ||= StockLocation.accessible_by(current_ability, :read).find(params[:stock_location_id])
       end
 
       def scope
-        @stock_location.stock_movements
+        @stock_location.stock_movements.accessible_by(current_ability, :read)
+      end
+
+      def stock_movement_params
+        params.require(:stock_movement).permit(permitted_stock_movement_attributes)
       end
     end
   end

data/app/controllers/spree/api/taxonomies_controller.rb

@@ -1,17 +1,16 @@
 module Spree
   module Api
     class TaxonomiesController < Spree::Api::BaseController
-      respond_to :json
 
       def index
-        @taxonomies = Taxonomy.order('name').includes(:root => :children).
+        @taxonomies = Taxonomy.accessible_by(current_ability, :read).order('name').includes(:root => :children).
                       ransack(params[:q]).result.
                       page(params[:page]).per(params[:per_page])
         respond_with(@taxonomies)
       end
 
       def show
-        @taxonomy = Taxonomy.find(params[:id])
+        @taxonomy = Taxonomy.accessible_by(current_ability, :read).find(params[:id])
         respond_with(@taxonomy)
       end
 
@@ -22,7 +21,7 @@ module Spree
 
       def create
         authorize! :create, Taxonomy
-        @taxonomy = Taxonomy.new(params[:taxonomy])
+        @taxonomy = Taxonomy.new(taxonomy_params)
         if @taxonomy.save
           respond_with(@taxonomy, :status => 201, :default_template => :show)
         else
@@ -31,8 +30,8 @@ module Spree
       end
 
       def update
-        authorize! :update, Taxonomy
-        if taxonomy.update_attributes(params[:taxonomy])
+        authorize! :update, taxonomy
+        if taxonomy.update_attributes(taxonomy_params)
           respond_with(taxonomy, :status => 200, :default_template => :show)
         else
           invalid_resource!(taxonomy)
@@ -40,7 +39,7 @@ module Spree
       end
 
       def destroy
-        authorize! :delete, Taxonomy
+        authorize! :destroy, taxonomy
         taxonomy.destroy
         respond_with(taxonomy, :status => 204)
       end
@@ -48,9 +47,16 @@ module Spree
       private
 
       def taxonomy
-        @taxonomy ||= Taxonomy.find(params[:id])
+        @taxonomy ||= Taxonomy.accessible_by(current_ability, :read).find(params[:id])
       end
 
+      def taxonomy_params
+        if params[:taxonomy] && !params[:taxonomy].empty?
+          params.require(:taxonomy).permit(permitted_taxonomy_attributes)
+        else
+          {}
+        end
+      end
     end
   end
 end

data/app/controllers/spree/api/taxons_controller.rb

@@ -1,16 +1,14 @@
 module Spree
   module Api
     class TaxonsController < Spree::Api::BaseController
-      respond_to :json
-
       def index
         if taxonomy
           @taxons = taxonomy.root.children
         else
           if params[:ids]
-            @taxons = Taxon.accessible_by(current_ability, :read).where(:id => params[:ids].split(","))
+            @taxons = Spree::Taxon.accessible_by(current_ability, :read).where(id: params[:ids].split(','))
           else
-            @taxons = Taxon.accessible_by(current_ability, :read).order(:taxonomy_id, :lft).ransack(params[:q]).result
+            @taxons = Spree::Taxon.accessible_by(current_ability, :read).order(:taxonomy_id, :lft).ransack(params[:q]).result
           end
         end
 
@@ -29,51 +27,58 @@ module Spree
 
       def create
         authorize! :create, Taxon
-        @taxon = Taxon.new(params[:taxon])
+        @taxon = Spree::Taxon.new(taxon_params)
         @taxon.taxonomy_id = params[:taxonomy_id]
-        taxonomy = Taxonomy.find_by_id(params[:taxonomy_id])
+        taxonomy = Spree::Taxonomy.find_by(id: params[:taxonomy_id])
 
         if taxonomy.nil?
-          @taxon.errors[:taxonomy_id] = I18n.t(:invalid_taxonomy_id, :scope => 'spree.api')
+          @taxon.errors[:taxonomy_id] = I18n.t(:invalid_taxonomy_id, scope: 'spree.api')
           invalid_resource!(@taxon) and return
         end
 
         @taxon.parent_id = taxonomy.root.id unless params[:taxon][:parent_id]
 
         if @taxon.save
-          respond_with(@taxon, :status => 201, :default_template => :show)
+          respond_with(@taxon, status: 201, default_template: :show)
         else
           invalid_resource!(@taxon)
         end
       end
 
       def update
-        authorize! :update, Taxon
-        if taxon.update_attributes(params[:taxon])
-          respond_with(taxon, :status => 200, :default_template => :show)
+        authorize! :update, taxon
+        if taxon.update_attributes(taxon_params)
+          respond_with(taxon, status: 200, default_template: :show)
         else
           invalid_resource!(taxon)
         end
       end
 
       def destroy
-        authorize! :delete, Taxon
+        authorize! :destroy, taxon
         taxon.destroy
-        respond_with(taxon, :status => 204)
+        respond_with(taxon, status: 204)
       end
 
       private
 
-      def taxonomy
-        if params[:taxonomy_id].present?
-          @taxonomy ||= Taxonomy.find(params[:taxonomy_id])
+        def taxonomy
+          if params[:taxonomy_id].present?
+            @taxonomy ||= Spree::Taxonomy.accessible_by(current_ability, :read).find(params[:taxonomy_id])
+          end
         end
-      end
 
-      def taxon
-        @taxon ||= taxonomy.taxons.find(params[:id])
-      end
+        def taxon
+          @taxon ||= taxonomy.taxons.accessible_by(current_ability, :read).find(params[:id])
+        end
 
+        def taxon_params
+          if params[:taxon] && !params[:taxon].empty?
+            params.require(:taxon).permit(permitted_taxon_attributes)
+          else
+            {}
+          end
+        end
     end
   end
 end

data/app/controllers/spree/api/users_controller.rb

@@ -1,7 +1,6 @@
 module Spree
   module Api
     class UsersController < Spree::Api::BaseController
-      respond_to :json
 
       def index
         @users = Spree.user_class.accessible_by(current_ability,:read).ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -9,7 +8,6 @@ module Spree
       end
 
       def show
-        authorize! :show, user
         respond_with(user)
       end
 
@@ -18,7 +16,7 @@ module Spree
 
       def create
         authorize! :create, Spree.user_class
-        @user = Spree.user_class.new(params[:user])
+        @user = Spree.user_class.new(user_params)
         if @user.save
           respond_with(@user, :status => 201, :default_template => :show)
         else
@@ -28,7 +26,7 @@ module Spree
 
       def update
         authorize! :update, user
-        if user.update_attributes(params[:user])
+        if user.update_attributes(user_params)
           respond_with(user, :status => 200, :default_template => :show)
         else
           invalid_resource!(user)
@@ -44,7 +42,11 @@ module Spree
       private
 
       def user
-        @user ||= Spree.user_class.find(params[:id])
+        @user ||= Spree.user_class.accessible_by(current_ability, :read).find(params[:id])
+      end
+
+      def user_params
+        params.require(:user).permit(permitted_user_attributes)
       end
     end
   end

data/app/controllers/spree/api/variants_controller.rb

@@ -1,68 +1,66 @@
 module Spree
   module Api
     class VariantsController < Spree::Api::BaseController
-      respond_to :json
 
       before_filter :product
 
+      def create
+        authorize! :create, Variant
+        @variant = scope.new(variant_params)
+        if @variant.save
+          respond_with(@variant, status: 201, default_template: :show)
+        else
+          invalid_resource!(@variant)
+        end
+      end
+
+      def destroy
+        @variant = scope.accessible_by(current_ability, :destroy).find(params[:id])
+        @variant.destroy
+        respond_with(@variant, status: 204)
+      end
+
       def index
-        @variants = scope.includes(:option_values, :stock_items, :product, :images, :prices).ransack(params[:q]).result.
+        @variants = scope.includes(:option_values).ransack(params[:q]).result.
           page(params[:page]).per(params[:per_page])
         respond_with(@variants)
       end
 
-      def show
-        @variant = scope.includes(:option_values).find(params[:id])
-        respond_with(@variant)
-      end
-
       def new
       end
 
-      def create
-        authorize! :create, Variant
-        @variant = scope.new(params[:variant])
-        if @variant.save
-          respond_with(@variant, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@variant)
-        end
+      def show
+        @variant = scope.includes(:option_values).find(params[:id])
+        respond_with(@variant)
       end
 
       def update
-        authorize! :update, Variant
-        @variant = scope.find(params[:id])
-        if @variant.update_attributes(params[:variant])
-          respond_with(@variant, :status => 200, :default_template => :show)
+        @variant = scope.accessible_by(current_ability, :update).find(params[:id])
+        if @variant.update_attributes(variant_params)
+          respond_with(@variant, status: 200, default_template: :show)
         else
           invalid_resource!(@product)
         end
       end
 
-      def destroy
-        authorize! :delete, Variant
-        @variant = scope.find(params[:id])
-        @variant.destroy
-        respond_with(@variant, :status => 204)
-      end
-
       private
+
         def product
-          @product ||= Spree::Product.find_by_permalink(params[:product_id]) if params[:product_id]
+          @product ||= Spree::Product.accessible_by(current_ability, :read).find_by(permalink: params[:product_id]) if params[:product_id]
         end
 
         def scope
           if @product
-            unless current_api_user.has_spree_role?("admin") || params[:show_deleted]
-              variants = @product.variants_including_master
+            unless current_api_user.has_spree_role?('admin') || params[:show_deleted]
+              variants = @product.variants_including_master.accessible_by(current_ability, :read)
             else
-              variants = @product.variants_including_master.with_deleted
+              variants = @product.variants_including_master.with_deleted.accessible_by(current_ability, :read)
             end
           else
-            variants = Variant.scoped
-            if current_api_user.has_spree_role?("admin")
+            variants = Variant.accessible_by(current_ability, :read)
+            if current_api_user.has_spree_role?('admin')
               unless params[:show_deleted]
-                variants = Variant.active
+                variants = Variant.accessible_by(current_ability, :read).active
               end
             else
               variants = variants.active
@@ -70,6 +68,10 @@ module Spree
           end
           variants
         end
+
+        def variant_params
+          params.require(:variant).permit(permitted_variant_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/zones_controller.rb

@@ -2,15 +2,6 @@ module Spree
   module Api
     class ZonesController < Spree::Api::BaseController
 
-      def index
-        @zones = Zone.order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
-        respond_with(@zones)
-      end
-
-      def show
-        respond_with(zone)
-      end
-
       def create
         authorize! :create, Zone
         @zone = Zone.new(map_nested_attributes_keys(Spree::Zone, params[:zone]))
@@ -21,8 +12,23 @@ module Spree
         end
       end
 
+      def destroy
+        authorize! :destroy, zone
+        zone.destroy
+        respond_with(zone, :status => 204)
+      end
+
+      def index
+        @zones = Zone.accessible_by(current_ability, :read).order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+        respond_with(@zones)
+      end
+
+      def show
+        respond_with(zone)
+      end
+
       def update
-        authorize! :update, Zone
+        authorize! :update, zone
         if zone.update_attributes(map_nested_attributes_keys(Spree::Zone, params[:zone]))
           respond_with(zone, :status => 200, :default_template => :show)
         else
@@ -30,15 +36,10 @@ module Spree
         end
       end
 
-      def destroy
-        authorize! :delete, Zone
-        zone.destroy
-        respond_with(zone, :status => 204)
-      end
-
       private
+
       def zone
-        @zone ||= Spree::Zone.find(params[:id])
+        @zone ||= Spree::Zone.accessible_by(current_ability, :read).find(params[:id])
       end
     end
   end