spree_api 3.2.9 → 3.3.0.rc1

data/spec/controllers/spree/api/v1/users_controller_spec.rb

@@ -0,0 +1,153 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::V1::UsersController, type: :controller do
+    render_views
+
+    let(:user) { create(:user, spree_api_key: rand.to_s) }
+    let(:stranger) { create(:user, email: 'stranger@example.com') }
+    let(:attributes) { [:id, :email, :created_at, :updated_at] }
+
+    context "as a normal user" do
+      it "can get own details" do
+        api_get :show, id: user.id, token: user.spree_api_key
+
+        expect(json_response['email']).to eq user.email
+      end
+
+      it "cannot get other users details" do
+        api_get :show, id: stranger.id, token: user.spree_api_key
+
+        assert_not_found!
+      end
+
+      it "can learn how to create a new user" do
+        api_get :new, token: user.spree_api_key
+        expect(json_response["attributes"]).to eq(attributes.map(&:to_s))
+      end
+
+      it "can create a new user" do
+        user_params = {
+          email: 'new@example.com', password: 'spree123', password_confirmation: 'spree123'
+        }
+
+        api_post :create, user: user_params, token: user.spree_api_key
+        expect(json_response['email']).to eq 'new@example.com'
+      end
+
+      # there's no validations on LegacyUser?
+      xit "cannot create a new user with invalid attributes" do
+        api_post :create, user: {}, token: user.spree_api_key
+        expect(response.status).to eq(422)
+        expect(json_response["error"]).to eq("Invalid resource. Please fix errors and try again.")
+        errors = json_response["errors"]
+      end
+
+      it "can update own details" do
+        country = create(:country)
+        api_put :update, id: user.id, token: user.spree_api_key, user: {
+          email: "mine@example.com",
+          bill_address_attributes: {
+            first_name: 'First',
+            last_name: 'Last',
+            address1: '1 Test Rd',
+            city: 'City',
+            country_id: country.id,
+            state_id: 1,
+            zipcode: '55555',
+            phone: '5555555555'
+          },
+          ship_address_attributes: {
+            first_name: 'First',
+            last_name: 'Last',
+            address1: '1 Test Rd',
+            city: 'City',
+            country_id: country.id,
+            state_id: 1,
+            zipcode: '55555',
+            phone: '5555555555'
+          }
+        }
+        expect(json_response['email']).to eq 'mine@example.com'
+        expect(json_response['bill_address']).to_not be_nil
+        expect(json_response['ship_address']).to_not be_nil
+      end
+
+      it "cannot update other users details" do
+        api_put :update, id: stranger.id, token: user.spree_api_key, user: { email: "mine@example.com" }
+        assert_not_found!
+      end
+
+      it "can delete itself" do
+        api_delete :destroy, id: user.id, token: user.spree_api_key
+        expect(response.status).to eq(204)
+      end
+
+      it "cannot delete other user" do
+        api_delete :destroy, id: stranger.id, token: user.spree_api_key
+        assert_not_found!
+      end
+
+      it "should only get own details on index" do
+        2.times { create(:user) }
+        api_get :index, token: user.spree_api_key
+
+        expect(Spree.user_class.count).to eq 3
+        expect(json_response['count']).to eq 1
+        expect(json_response['users'].size).to eq 1
+      end
+    end
+
+    context "as an admin" do
+      before { stub_authentication! }
+
+      sign_in_as_admin!
+
+      it "gets all users" do
+        allow(Spree::LegacyUser).to receive(:find_by).with(hash_including(:spree_api_key)) { current_api_user }
+
+        2.times { create(:user) }
+
+        api_get :index
+        expect(Spree.user_class.count).to eq 2
+        expect(json_response['count']).to eq 2
+        expect(json_response['users'].size).to eq 2
+      end
+
+      it 'can control the page size through a parameter' do
+        2.times { create(:user) }
+        api_get :index, per_page: 1
+        expect(json_response['count']).to eq(1)
+        expect(json_response['current_page']).to eq(1)
+        expect(json_response['pages']).to eq(2)
+      end
+
+      it 'can query the results through a paramter' do
+        expected_result = create(:user, email: 'brian@spreecommerce.com')
+        api_get :index, q: { email_cont: 'brian' }
+        expect(json_response['count']).to eq(1)
+        expect(json_response['users'].first['email']).to eq expected_result.email
+      end
+
+      it "can create" do
+        api_post :create, user: { email: "new@example.com", password: 'spree123', password_confirmation: 'spree123' }
+        expect(json_response).to have_attributes(attributes)
+        expect(response.status).to eq(201)
+      end
+
+      it "can destroy user without orders" do
+        user.orders.destroy_all
+        api_delete :destroy, id: user.id
+        expect(response.status).to eq(204)
+      end
+
+      it "cannot destroy user with orders" do
+        create(:completed_order_with_totals, user: user)
+        api_delete :destroy, id: user.id
+        expect(json_response["exception"]).to eq "Spree::Core::DestroyWithOrdersError"
+        expect(response.status).to eq(422)
+      end
+
+    end
+  end
+end

data/spec/controllers/spree/api/v1/variants_controller_spec.rb

@@ -0,0 +1,205 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::V1::VariantsController, type: :controller do
+    render_views
+
+    let(:option_value) { create(:option_value) }
+    let!(:product) { create(:product) }
+    let!(:variant) do
+      variant = product.master
+      variant.option_values << option_value
+      variant
+    end
+
+    let!(:base_attributes) { Api::ApiHelpers.variant_attributes }
+    let!(:show_attributes) { base_attributes.dup.push(:in_stock, :display_price) }
+    let!(:new_attributes) { base_attributes }
+
+    before do
+      stub_authentication!
+    end
+
+    it "can see a paginated list of variants" do
+      api_get :index
+      first_variant = json_response["variants"].first
+      expect(first_variant).to have_attributes(show_attributes)
+      expect(first_variant["stock_items"]).to be_present
+      expect(json_response["count"]).to eq(1)
+      expect(json_response["current_page"]).to eq(1)
+      expect(json_response["pages"]).to eq(1)
+    end
+
+    it 'can control the page size through a parameter' do
+      create(:variant)
+      api_get :index, per_page: 1
+      expect(json_response['count']).to eq(1)
+      expect(json_response['current_page']).to eq(1)
+      expect(json_response['pages']).to eq(3)
+    end
+
+    it 'can query the results through a parameter' do
+      expected_result = create(:variant, sku: 'FOOBAR')
+      api_get :index, q: { sku_cont: 'FOO' }
+      expect(json_response['count']).to eq(1)
+      expect(json_response['variants'].first['sku']).to eq expected_result.sku
+    end
+
+    it "variants returned contain option values data" do
+      api_get :index
+      option_values = json_response["variants"].last["option_values"]
+      expect(option_values.first).to have_attributes([:name,
+                                                 :presentation,
+                                                 :option_type_name,
+                                                 :option_type_id])
+    end
+
+    it "variants returned contain images data" do
+      variant.images.create!(attachment: image("thinking-cat.jpg"))
+
+      api_get :index
+
+      expect(json_response["variants"].last).to have_attributes([:images])
+      expect(json_response['variants'].first['images'].first).to have_attributes([:attachment_file_name,
+                                                                               :attachment_width,
+                                                                               :attachment_height,
+                                                                               :attachment_content_type,
+                                                                               :mini_url,
+                                                                               :small_url,
+                                                                               :product_url,
+                                                                               :large_url])
+
+    end
+
+    it 'variants returned do not contain cost price data' do
+      api_get :index
+      expect(json_response["variants"].first.has_key?(:cost_price)).to eq false
+    end
+
+    # Regression test for #2141
+    context "a deleted variant" do
+      before do
+        variant.update_column(:deleted_at, Time.current)
+      end
+
+      it "is not returned in the results" do
+        api_get :index
+        expect(json_response["variants"].count).to eq(0)
+      end
+
+      it "is not returned even when show_deleted is passed" do
+        api_get :index, show_deleted: true
+        expect(json_response["variants"].count).to eq(0)
+      end
+    end
+
+    context "pagination" do
+      it "can select the next page of variants" do
+        second_variant = create(:variant)
+        api_get :index, page: 2, per_page: 1
+        expect(json_response["variants"].first).to have_attributes(show_attributes)
+        expect(json_response["total_count"]).to eq(3)
+        expect(json_response["current_page"]).to eq(2)
+        expect(json_response["pages"]).to eq(3)
+      end
+    end
+
+    it "can see a single variant" do
+      api_get :show, id: variant.to_param
+      expect(json_response).to have_attributes(show_attributes)
+      expect(json_response["stock_items"]).to be_present
+      option_values = json_response["option_values"]
+      expect(option_values.first).to have_attributes([:name,
+                                                 :presentation,
+                                                 :option_type_name,
+                                                 :option_type_id])
+    end
+
+    it "can see a single variant with images" do
+      variant.images.create!(attachment: image("thinking-cat.jpg"))
+
+      api_get :show, id: variant.to_param
+
+      expect(json_response).to have_attributes(show_attributes + [:images])
+      option_values = json_response["option_values"]
+      expect(option_values.first).to have_attributes([:name,
+                                                 :presentation,
+                                                 :option_type_name,
+                                                 :option_type_id])
+    end
+
+    it "can learn how to create a new variant" do
+      api_get :new
+      expect(json_response["attributes"]).to eq(new_attributes.map(&:to_s))
+      expect(json_response["required_attributes"]).to be_empty
+    end
+
+    it "cannot create a new variant if not an admin" do
+      api_post :create, variant: { sku: "12345" }
+      assert_unauthorized!
+    end
+
+    it "cannot update a variant" do
+      api_put :update, id: variant.to_param, variant: { sku: "12345" }
+      assert_not_found!
+    end
+
+    it "cannot delete a variant" do
+      api_delete :destroy, id: variant.to_param
+      assert_not_found!
+      expect { variant.reload }.not_to raise_error
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+      let(:resource_scoping) { { product_id: variant.product.to_param } }
+
+      # Test for #2141
+      context "deleted variants" do
+        before do
+          variant.update_column(:deleted_at, Time.current)
+        end
+
+        it "are visible by admin" do
+          api_get :index, show_deleted: 1
+          expect(json_response["variants"].count).to eq(1)
+        end
+      end
+
+      it "can create a new variant" do
+        other_value = create(:option_value)
+        api_post :create, variant: {
+          sku: "12345",
+          price: "20",
+          option_value_ids: [option_value.id, other_value.id]
+        }
+
+        expect(json_response).to have_attributes(new_attributes)
+        expect(response.status).to eq(201)
+        expect(json_response["sku"]).to eq("12345")
+        expect(json_response["price"]).to match "20"
+
+        option_value_ids = json_response["option_values"].map { |o| o['id'] }
+        expect(option_value_ids).to match_array [option_value.id, other_value.id]
+
+        expect(variant.product.variants.count).to eq(1)
+      end
+
+      it "can update a variant" do
+        api_put :update, id: variant.to_param, variant: { sku: "12345" }
+        expect(response.status).to eq(200)
+      end
+
+      it "can delete a variant" do
+        api_delete :destroy, id: variant.to_param
+        expect(response.status).to eq(204)
+        expect { Spree::Variant.find(variant.id) }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+
+      it 'variants returned contain cost price data' do
+        api_get :index
+        expect(json_response["variants"].first.has_key?(:cost_price)).to eq true
+      end
+    end
+  end
+end

data/spec/controllers/spree/api/v1/zones_controller_spec.rb

@@ -0,0 +1,91 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::V1::ZonesController, type: :controller do
+    render_views
+
+    let!(:attributes) { [:id, :name, :zone_members] }
+
+    before do
+      stub_authentication!
+      @zone = create(:zone, name: 'Europe')
+    end
+
+    it "gets list of zones" do
+      api_get :index
+      expect(json_response['zones'].first).to have_attributes(attributes)
+    end
+
+    it 'can control the page size through a parameter' do
+      create(:zone)
+      api_get :index, per_page: 1
+      expect(json_response['count']).to eq(1)
+      expect(json_response['current_page']).to eq(1)
+      expect(json_response['pages']).to eq(2)
+    end
+
+    it 'can query the results through a paramter' do
+      expected_result = create(:zone, name: 'South America')
+      api_get :index, q: { name_cont: 'south' }
+      expect(json_response['count']).to eq(1)
+      expect(json_response['zones'].first['name']).to eq expected_result.name
+    end
+
+    it "gets a zone" do
+      api_get :show, id: @zone.id
+      expect(json_response).to have_attributes(attributes)
+      expect(json_response['name']).to eq @zone.name
+      expect(json_response['zone_members'].size).to eq @zone.zone_members.count
+    end
+
+    context "as an admin" do
+      sign_in_as_admin!
+
+      let!(:country) { create(:country) }
+
+      it "can create a new zone" do
+        params = {
+          zone: {
+            name: "North Pole",
+            zone_members: [
+              {
+                zoneable_type: "Spree::Country",
+                zoneable_id: country.id
+              }
+            ]
+          }
+        }
+
+        api_post :create, params
+        expect(response.status).to eq(201)
+        expect(json_response).to have_attributes(attributes)
+        expect(json_response["zone_members"]).not_to be_empty
+      end
+
+      it "updates a zone" do
+        params = { id: @zone.id,
+          zone: {
+            name: "North Pole",
+            zone_members: [
+              {
+                zoneable_type: "Spree::Country",
+                zoneable_id: country.id
+              }
+            ]
+          }
+        }
+
+        api_put :update, params
+        expect(response.status).to eq(200)
+        expect(json_response['name']).to eq 'North Pole'
+        expect(json_response['zone_members']).not_to be_blank
+      end
+
+      it "can delete a zone" do
+        api_delete :destroy, id: @zone.id
+        expect(response.status).to eq(204)
+        expect { @zone.reload }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+  end
+end

data/spec/models/spree/legacy_user_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+module Spree
+  describe LegacyUser, type: :model do
+    let(:user) { LegacyUser.new }
+
+    it "can generate an API key" do
+      expect(user).to receive(:save!)
+      user.generate_spree_api_key!
+      expect(user.spree_api_key).not_to be_blank
+    end
+
+    it "can clear an API key" do
+      expect(user).to receive(:save!)
+      user.clear_spree_api_key!
+      expect(user.spree_api_key).to be_blank
+    end
+  end
+end

data/spec/requests/rabl_cache_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe "Rabl Cache", type: :request, caching: true do
+  let!(:user)  { create(:admin_user) }
+
+  before do
+    create(:variant)
+    user.generate_spree_api_key!
+    expect(Spree::Product.count).to eq(1)
+  end
+
+  it "doesn't create a cache key collision for models with different rabl templates" do
+    get "/api/v1/variants", params: { token: user.spree_api_key }
+    expect(response.status).to eq(200)
+
+    # Make sure we get a non master variant
+    variant_a = JSON.parse(response.body)['variants'].select do |v|
+      !v['is_master']
+    end.first
+
+    expect(variant_a['is_master']).to be false
+    expect(variant_a['stock_items']).not_to be_nil
+
+    get "/api/v1/products/#{Spree::Product.first.id}", params: { token: user.spree_api_key }
+    expect(response.status).to eq(200)
+    variant_b = JSON.parse(response.body)['variants'].last
+    expect(variant_b['is_master']).to be false
+
+    expect(variant_a['id']).to eq(variant_b['id'])
+    expect(variant_b['stock_items']).to be_nil
+  end
+end

data/spec/requests/ransackable_attributes_spec.rb

@@ -0,0 +1,79 @@
+require 'spec_helper'
+
+describe "Ransackable Attributes" do
+  let(:user) { create(:user).tap(&:generate_spree_api_key!) }
+  let(:order) { create(:order_with_line_items, user: user) }
+  context "filtering by attributes one association away" do
+    it "does not allow the filtering of variants by order attributes" do
+      2.times { create(:variant) }
+
+      get "/api/v1/variants?q[orders_email_start]=#{order.email}", params: { token: user.spree_api_key }
+
+      variants_response = JSON.parse(response.body)
+      expect(variants_response['total_count']).to eq(Spree::Variant.count)
+    end
+  end
+
+  context "filtering by attributes two associations away" do
+    it "does not allow the filtering of variants by user attributes" do
+      2.times { create(:variant) }
+
+      get "/api/v1/variants?q[orders_user_email_start]=#{order.user.email}", params: { token: user.spree_api_key }
+
+      variants_response = JSON.parse(response.body)
+      expect(variants_response['total_count']).to eq(Spree::Variant.count)
+    end
+  end
+
+  context "it maintains desired association behavior" do
+    it "allows filtering of variants product name" do
+      product = create(:product, name: "Fritos")
+      variant = create(:variant, product: product)
+      other_variant = create(:variant)
+
+      get "/api/v1/variants?q[product_name_or_sku_cont]=fritos", params: { token: user.spree_api_key }
+
+      skus = JSON.parse(response.body)['variants'].map { |variant| variant['sku'] }
+      expect(skus).to include variant.sku
+      expect(skus).not_to include other_variant.sku
+    end
+  end
+
+  context "filtering by attributes" do
+    it "most attributes are not filterable by default" do
+      product = create(:product, meta_title: "special product")
+      other_product = create(:product)
+
+      get "/api/v1/products?q[meta_title_cont]=special", params: { token: user.spree_api_key }
+
+      products_response = JSON.parse(response.body)
+      expect(products_response['total_count']).to eq(Spree::Product.count)
+    end
+
+    it "id is filterable by default" do
+      product = create(:product)
+      other_product = create(:product)
+
+      get "/api/v1/products?q[id_eq]=#{product.id}", params: { token: user.spree_api_key }
+
+      product_names = JSON.parse(response.body)['products'].map { |product| product['name'] }
+      expect(product_names).to include product.name
+      expect(product_names).not_to include other_product.name
+    end
+  end
+
+  context "filtering by whitelisted attributes" do
+    it "filtering is supported for whitelisted attributes" do
+      product = create(:product, name: "Fritos")
+      other_product = create(:product)
+
+      get "/api/v1/products?q[name_cont]=fritos", params: { token: user.spree_api_key }
+
+      product_names = JSON.parse(response.body)['products'].map { |product| product['name'] }
+      expect(product_names).to include product.name
+      expect(product_names).not_to include other_product.name
+    end
+  end
+
+
+end

data/spec/requests/version_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe "Version", type: :request do
+  let!(:countries) { 2.times.map { create :country } }
+
+  describe "/api" do
+    it "be a redirect" do
+      get "/api/countries"
+      expect(response).to have_http_status 301
+    end
+  end
+
+  describe "/api/v1" do
+    it "be successful" do
+      get "/api/v1/countries"
+      expect(response).to have_http_status 200
+    end
+  end
+end

data/spec/shared_examples/protect_product_actions.rb

@@ -0,0 +1,17 @@
+shared_examples "modifying product actions are restricted" do
+  it "cannot create a new product if not an admin" do
+    api_post :create, product: { name: "Brand new product!" }
+    assert_unauthorized!
+  end
+
+  it "cannot update a product" do
+    api_put :update, id: product.to_param, product: { name: "I hacked your store!" }
+    assert_unauthorized!
+  end
+
+  it "cannot delete a product" do
+    api_delete :destroy, id: product.to_param
+    assert_unauthorized!
+  end
+end
+

data/spec/spec_helper.rb

@@ -0,0 +1,63 @@
+if ENV["COVERAGE"]
+  # Run Coverage report
+  require 'simplecov'
+  SimpleCov.start do
+    add_group 'Controllers', 'app/controllers'
+    add_group 'Helpers', 'app/helpers'
+    add_group 'Mailers', 'app/mailers'
+    add_group 'Models', 'app/models'
+    add_group 'Views', 'app/views'
+    add_group 'Libraries', 'lib'
+  end
+end
+
+# This file is copied to spec/ when you run 'rails generate rspec:install'
+ENV["RAILS_ENV"] ||= 'test'
+
+begin
+  require File.expand_path("../dummy/config/environment", __FILE__)
+rescue LoadError
+  puts "Could not load dummy application. Please ensure you have run `bundle exec rake test_app`"
+  exit
+end
+
+require 'rspec/rails'
+require 'ffaker'
+
+# Requires supporting ruby files with custom matchers and macros, etc,
+# in spec/support/ and its subdirectories.
+Dir[File.dirname(__FILE__) + "/support/**/*.rb"].each {|f| require f}
+
+require 'spree/testing_support/factories'
+require 'spree/testing_support/preferences'
+
+require 'spree/api/testing_support/caching'
+require 'spree/api/testing_support/helpers'
+require 'spree/api/testing_support/setup'
+require 'spree/testing_support/shoulda_matcher_configuration'
+
+RSpec.configure do |config|
+  config.backtrace_exclusion_patterns = [/gems\/activesupport/, /gems\/actionpack/, /gems\/rspec/]
+  config.color = true
+  config.fail_fast = ENV['FAIL_FAST'] || false
+  config.infer_spec_type_from_file_location!
+  config.raise_errors_for_deprecations!
+  config.use_transactional_fixtures = true
+
+  config.include FactoryGirl::Syntax::Methods
+  config.include Spree::Api::TestingSupport::Helpers, type: :controller
+  config.extend Spree::Api::TestingSupport::Setup, type: :controller
+  config.include Spree::TestingSupport::Preferences, type: :controller
+
+  config.before do
+    Spree::Api::Config[:requires_authentication] = true
+  end
+
+  config.include VersionCake::TestHelpers, type: :controller
+  config.before(:each, type: :controller) do
+    set_request_version('', 1)
+  end
+
+  config.order = :random
+  Kernel.srand config.seed
+end