spree_api 3.0.10 → 3.1.0.rc1

data/app/controllers/spree/api/v1/line_items_controller.rb

@@ -0,0 +1,70 @@
+module Spree
+  module Api
+    module V1
+      class LineItemsController < Spree::Api::BaseController
+        class_attribute :line_item_options
+
+        self.line_item_options = []
+
+        def create
+          variant = Spree::Variant.find(params[:line_item][:variant_id])
+          @line_item = order.contents.add(
+              variant,
+              params[:line_item][:quantity] || 1,
+              line_item_params[:options] || {}
+          )
+
+          if @line_item.errors.empty?
+            respond_with(@line_item, status: 201, default_template: :show)
+          else
+            invalid_resource!(@line_item)
+          end
+        end
+
+        def update
+          @line_item = find_line_item
+          if @order.contents.update_cart(line_items_attributes)
+            @line_item.reload
+            respond_with(@line_item, default_template: :show)
+          else
+            invalid_resource!(@line_item)
+          end
+        end
+
+        def destroy
+          @line_item = find_line_item
+          @order.contents.remove_line_item(@line_item)
+          respond_with(@line_item, status: 204)
+        end
+
+        private
+          def order
+            @order ||= Spree::Order.includes(:line_items).find_by!(number: order_id)
+            authorize! :update, @order, order_token
+          end
+
+          def find_line_item
+            id = params[:id].to_i
+            order.line_items.detect { |line_item| line_item.id == id } or
+                raise ActiveRecord::RecordNotFound
+          end
+
+          def line_items_attributes
+            {line_items_attributes: {
+                id: params[:id],
+                quantity: params[:line_item][:quantity],
+                options: line_item_params[:options] || {}
+            }}
+          end
+
+          def line_item_params
+            params.require(:line_item).permit(
+                :quantity,
+                :variant_id,
+                options: line_item_options
+            )
+          end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/option_types_controller.rb

@@ -0,0 +1,51 @@
+module Spree
+  module Api
+    module V1
+      class OptionTypesController < Spree::Api::BaseController
+        def index
+          if params[:ids]
+            @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability, :read).where(id: params[:ids].split(','))
+          else
+            @option_types = Spree::OptionType.includes(:option_values).accessible_by(current_ability, :read).load.ransack(params[:q]).result
+          end
+          respond_with(@option_types)
+        end
+
+        def show
+          @option_type = Spree::OptionType.accessible_by(current_ability, :read).find(params[:id])
+          respond_with(@option_type)
+        end
+
+        def create
+          authorize! :create, Spree::OptionType
+          @option_type = Spree::OptionType.new(option_type_params)
+          if @option_type.save
+            render :show, :status => 201
+          else
+            invalid_resource!(@option_type)
+          end
+        end
+
+        def update
+          @option_type = Spree::OptionType.accessible_by(current_ability, :update).find(params[:id])
+          if @option_type.update_attributes(option_type_params)
+            render :show
+          else
+            invalid_resource!(@option_type)
+          end
+        end
+
+        def destroy
+          @option_type = Spree::OptionType.accessible_by(current_ability, :destroy).find(params[:id])
+          @option_type.destroy
+          render :text => nil, :status => 204
+        end
+
+        private
+          def option_type_params
+            params.require(:option_type).permit(permitted_option_type_attributes)
+          end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/option_values_controller.rb

@@ -0,0 +1,60 @@
+module Spree
+  module Api
+    module V1
+      class OptionValuesController < Spree::Api::BaseController
+        def index
+          if params[:ids]
+            @option_values = scope.where(:id => params[:ids])
+          else
+            @option_values = scope.ransack(params[:q]).result.distinct
+          end
+          respond_with(@option_values)
+        end
+
+        def show
+          @option_value = scope.find(params[:id])
+          respond_with(@option_value)
+        end
+
+        def create
+          authorize! :create, Spree::OptionValue
+          @option_value = scope.new(option_value_params)
+          if @option_value.save
+            render :show, :status => 201
+          else
+            invalid_resource!(@option_value)
+          end
+        end
+
+        def update
+          @option_value = scope.accessible_by(current_ability, :update).find(params[:id])
+          if @option_value.update_attributes(option_value_params)
+            render :show
+          else
+            invalid_resource!(@option_value)
+          end
+        end
+
+        def destroy
+          @option_value = scope.accessible_by(current_ability, :destroy).find(params[:id])
+          @option_value.destroy
+          render :text => nil, :status => 204
+        end
+
+        private
+
+          def scope
+            if params[:option_type_id]
+              @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability, :read)
+            else
+              @scope ||= Spree::OptionValue.accessible_by(current_ability, :read).load
+            end
+          end
+
+          def option_value_params
+            params.require(:option_value).permit(permitted_option_value_attributes)
+          end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/orders_controller.rb

@@ -0,0 +1,137 @@
+module Spree
+  module Api
+    module V1
+      class OrdersController < Spree::Api::BaseController
+        skip_before_action :authenticate_user, only: :apply_coupon_code
+
+        before_action :find_order, except: [:create, :mine, :current, :index, :update]
+
+        # Dynamically defines our stores checkout steps to ensure we check authorization on each step.
+        Order.checkout_steps.keys.each do |step|
+          define_method step do
+            find_order
+            authorize! :update, @order, params[:token]
+          end
+        end
+
+        def cancel
+          authorize! :update, @order, params[:token]
+          @order.canceled_by(current_api_user)
+          respond_with(@order, default_template: :show)
+        end
+
+        def approve
+          authorize! :approve, @order, params[:token]
+          @order.approved_by(current_api_user)
+          respond_with(@order, default_template: :show)
+        end
+
+        def create
+          authorize! :create, Order
+          order_user = if @current_user_roles.include?('admin') && order_params[:user_id]
+            Spree.user_class.find(order_params[:user_id])
+          else
+            current_api_user
+          end
+
+          import_params = if @current_user_roles.include?("admin")
+            params[:order].present? ? params[:order].permit! : {}
+          else
+            order_params
+          end
+
+          @order = Spree::Core::Importer::Order.import(order_user, import_params)
+          respond_with(@order, default_template: :show, status: 201)
+        end
+
+        def empty
+          authorize! :update, @order, order_token
+          @order.empty!
+          render text: nil, status: 204
+        end
+
+        def index
+          authorize! :index, Order
+          @orders = Order.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+          respond_with(@orders)
+        end
+
+        def show
+          authorize! :show, @order, order_token
+          respond_with(@order)
+        end
+
+        def update
+          find_order(true)
+          authorize! :update, @order, order_token
+
+          if @order.contents.update_cart(order_params)
+            user_id = params[:order][:user_id]
+            if current_api_user.has_spree_role?('admin') && user_id
+              @order.associate_user!(Spree.user_class.find(user_id))
+            end
+            respond_with(@order, default_template: :show)
+          else
+            invalid_resource!(@order)
+          end
+        end
+
+        def current
+          @order = find_current_order
+          if @order
+            respond_with(@order, default_template: :show, locals: { root_object: @order })
+          else
+            head :no_content
+          end
+        end
+
+        def mine
+          if current_api_user.persisted?
+            @orders = current_api_user.orders.reverse_chronological.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+          else
+            render "spree/api/errors/unauthorized", status: :unauthorized
+          end
+        end
+
+        def apply_coupon_code
+          find_order
+          authorize! :update, @order, order_token
+          @order.coupon_code = params[:coupon_code]
+          @handler = PromotionHandler::Coupon.new(@order).apply
+          status = @handler.successful? ? 200 : 422
+          render "spree/api/v1/promotions/handler", status: status
+        end
+
+        private
+          def order_params
+            if params[:order]
+              normalize_params
+              params.require(:order).permit(permitted_order_attributes)
+            else
+              {}
+            end
+          end
+
+          def normalize_params
+            params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
+            params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
+            params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
+            params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address]
+            params[:order][:bill_address_attributes] = params[:order].delete(:bill_address) if params[:order][:bill_address]
+          end
+
+          def find_order(lock = false)
+            @order = Spree::Order.lock(lock).friendly.find(params[:id])
+          end
+
+          def find_current_order
+            current_api_user ? current_api_user.orders.incomplete.order(:created_at).last : nil
+          end
+
+          def order_id
+            super || params[:id]
+          end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/payments_controller.rb

@@ -0,0 +1,82 @@
+module Spree
+  module Api
+    module V1
+      class PaymentsController < Spree::Api::BaseController
+
+        before_action :find_order
+        before_action :find_payment, only: [:update, :show, :authorize, :purchase, :capture, :void]
+
+        def index
+          @payments = @order.payments.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+          respond_with(@payments)
+        end
+
+        def new
+          @payment_methods = Spree::PaymentMethod.available
+          respond_with(@payment_methods)
+        end
+
+        def create
+          @payment = @order.payments.build(payment_params)
+          if @payment.save
+            respond_with(@payment, status: 201, default_template: :show)
+          else
+            invalid_resource!(@payment)
+          end
+        end
+
+        def update
+          authorize! params[:action], @payment
+          if !@payment.editable?
+            render 'update_forbidden', status: 403
+          elsif @payment.update_attributes(payment_params)
+            respond_with(@payment, default_template: :show)
+          else
+            invalid_resource!(@payment)
+          end
+        end
+
+        def show
+          respond_with(@payment)
+        end
+
+        def authorize
+          perform_payment_action(:authorize)
+        end
+
+        def capture
+          perform_payment_action(:capture)
+        end
+
+        def purchase
+          perform_payment_action(:purchase)
+        end
+
+        def void
+          perform_payment_action(:void_transaction)
+        end
+
+        private
+
+          def find_order
+            @order = Spree::Order.friendly.find(order_id)
+            authorize! :read, @order, order_token
+          end
+
+          def find_payment
+            @payment = @order.payments.friendly.find(params[:id])
+          end
+
+          def perform_payment_action(action, *args)
+            authorize! action, Payment
+            @payment.send("#{action}!", *args)
+            respond_with(@payment, default_template: :show)
+          end
+
+          def payment_params
+            params.require(:payment).permit(permitted_payment_attributes)
+          end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/product_properties_controller.rb

@@ -0,0 +1,73 @@
+module Spree
+  module Api
+    module V1
+      class ProductPropertiesController < Spree::Api::BaseController
+        before_action :find_product
+        before_action :product_property, only: [:show, :update, :destroy]
+
+        def index
+          @product_properties = @product.product_properties.accessible_by(current_ability, :read).
+                                ransack(params[:q]).result.
+                                page(params[:page]).per(params[:per_page])
+          respond_with(@product_properties)
+        end
+
+        def show
+          respond_with(@product_property)
+        end
+
+        def new
+        end
+
+        def create
+          authorize! :create, ProductProperty
+          @product_property = @product.product_properties.new(product_property_params)
+          if @product_property.save
+            respond_with(@product_property, status: 201, default_template: :show)
+          else
+            invalid_resource!(@product_property)
+          end
+        end
+
+        def update
+          if @product_property
+            authorize! :update, @product_property
+            @product_property.update_attributes(product_property_params)
+            respond_with(@product_property, status: 200, default_template: :show)
+          else
+            invalid_resource!(@product_property)
+          end
+        end
+
+        def destroy
+          if @product_property
+            authorize! :destroy, @product_property
+            @product_property.destroy
+            respond_with(@product_property, status: 204)
+          else
+            invalid_resource!(@product_property)
+          end
+        end
+
+        private
+
+        def find_product
+          @product = super(params[:product_id])
+          authorize! :read, @product
+        end
+
+        def product_property
+          if @product
+            @product_property ||= @product.product_properties.find_by(id: params[:id])
+            @product_property ||= @product.product_properties.includes(:property).where(spree_properties: { name: params[:id] }).first
+            authorize! :read, @product_property
+          end
+        end
+
+        def product_property_params
+          params.require(:product_property).permit(permitted_product_properties_attributes)
+        end
+      end
+    end
+  end
+end