spree_api 4.2.3 → 4.3.0.rc1

data/app/controllers/spree/api/v2/platform/resource_controller.rb

@@ -0,0 +1,112 @@
+module Spree
+  module Api
+    module V2
+      module Platform
+        class ResourceController < ::Spree::Api::V2::ResourceController
+          READ_ACTIONS = %i[show index]
+          WRITE_ACTIONS = %i[create update destroy]
+
+          # doorkeeper scopes usage: https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+          before_action -> { doorkeeper_authorize! :read, :admin }, only: READ_ACTIONS
+          before_action -> { doorkeeper_authorize! :write, :admin }, only: WRITE_ACTIONS
+
+          # optional authorization if using a user token instead of app token
+          before_action :authorize_spree_user, only: WRITE_ACTIONS
+
+          # index and show acrtions are defined in Spree::Api::V2::ResourceController
+
+          def create
+            resource = model_class.new(permitted_resource_params)
+
+            if resource.save
+              render_serialized_payload(201) { serialize_resource(resource) }
+            else
+              render_error_payload(resource.errors)
+            end
+          end
+
+          def update
+            if resource.update(permitted_resource_params)
+              render_serialized_payload { serialize_resource(resource) }
+            else
+              render_error_payload(resource.errors)
+            end
+          end
+
+          def destroy
+            if resource.destroy
+              head 204
+            else
+              render_error_payload(resource.errors)
+            end
+          end
+
+          protected
+
+          def resource_serializer
+            "Spree::Api::V2::Platform::#{model_class.to_s.demodulize}Serializer".constantize
+          end
+
+          def collection_serializer
+            resource_serializer
+          end
+
+          # overwiting to utilize ransack gem for filtering
+          # https://github.com/activerecord-hackery/ransack#search-matchers
+          def collection
+            @collection ||= scope.ransack(params[:filter]).result
+          end
+
+          # overwriting to skip cancancan check if API is consumed by an application
+          def scope
+            return super if spree_current_user.present?
+
+            super(skip_cancancan: true)
+          end
+
+          # We're overwriting this method because the original one calls `dookreeper_authorize`
+          # which breaks our application authorizations defined on top of this controller
+          def spree_current_user
+            return nil unless doorkeeper_token
+            return nil if doorkeeper_token.resource_owner_id.nil?
+            return @spree_current_user if @spree_current_user
+
+            @spree_current_user ||= Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id)
+          end
+
+          def access_denied(exception)
+            access_denied_401(exception)
+          end
+
+          # if using a user oAuth token we need to check CanCanCan abilities
+          # defined in https://github.com/spree/spree/blob/master/core/app/models/spree/ability.rb
+          def authorize_spree_user
+            return if spree_current_user.nil?
+
+            if action_name == 'create'
+              spree_authorize! :create, model_class
+            else
+              spree_authorize! action_name, resource
+            end
+          end
+
+          def model_param_name
+            model_class.to_s.demodulize.underscore
+          end
+
+          def spree_permitted_attributes
+            Spree::PermittedAttributes.try("#{model_param_name}_attributes") || {}
+          end
+
+          def permitted_resource_params
+            params.require(model_param_name).permit(spree_permitted_attributes)
+          end
+
+          def allowed_sort_attributes
+            (super << spree_permitted_attributes).uniq.compact
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v2/platform/taxons_controller.rb

@@ -0,0 +1,30 @@
+module Spree
+  module Api
+    module V2
+      module Platform
+        class TaxonsController < ResourceController
+          private
+
+          def model_class
+            Spree::Taxon
+          end
+
+          def scope_includes
+            node_includes = %i[icon parent taxonomy]
+
+            {
+              parent: node_includes,
+              children: node_includes,
+              taxonomy: [root: node_includes],
+              icon: [attachment_attachment: :blob]
+            }
+          end
+
+          def serializer_params
+            super.merge(include_products: action_name == 'show')
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v2/platform/users_controller.rb

@@ -0,0 +1,28 @@
+module Spree
+  module Api
+    module V2
+      module Platform
+        class UsersController < ResourceController
+          private
+
+          def model_class
+            Spree.user_class
+          end
+
+          def resource_serializer
+            Spree::Api::V2::Platform::UserSerializer
+          end
+
+          def scope_includes
+            [:ship_address, :bill_address]
+          end
+
+          # we need to define this here as developers can configure their own `user_class`
+          def model_param_name
+            'user'
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v2/resource_controller.rb

@@ -15,7 +15,7 @@ module Spree
         protected
 
         def sorted_collection
-          collection_sorter.new(collection, params, allowed_sort_attributes).call
+          @sorted_collection ||= collection_sorter.new(collection, params, allowed_sort_attributes).call
         end
 
         def allowed_sort_attributes
@@ -23,11 +23,14 @@ module Spree
         end
 
         def default_sort_atributes
-          [:id, :updated_at, :created_at]
+          [:id, :name, :number, :position, :updated_at, :created_at]
         end
 
-        def scope
-          model_class.accessible_by(current_ability, :show).includes(scope_includes)
+        def scope(skip_cancancan: false)
+          base_scope = model_class.for_store(current_store)
+          base_scope = base_scope.accessible_by(current_ability, :show) unless skip_cancancan
+          base_scope = base_scope.includes(scope_includes) if scope_includes.any? && action_name == 'index'
+          base_scope
         end
 
         def scope_includes
@@ -36,7 +39,7 @@ module Spree
 
         def resource
           @resource ||= if defined?(resource_finder)
-                          resource_finder.new(scope: scope, params: params).execute
+                          resource_finder.new(scope: scope, params: finder_params).execute
                         else
                           scope.find(params[:id])
                         end
@@ -44,12 +47,21 @@ module Spree
 
         def collection
           @collection ||= if defined?(collection_finder)
-                            collection_finder.new(scope: scope, params: params).execute
+                            collection_finder.new(scope: scope, params: finder_params).execute
                           else
                             scope
                           end
         end
 
+        def finder_params
+          params.merge(
+            store: current_store,
+            locale: current_locale,
+            currency: current_currency,
+            user: spree_current_user
+          )
+        end
+
         def collection_sorter
           Spree::Api::Dependencies.storefront_collection_sorter.constantize
         end

data/app/controllers/spree/api/v2/storefront/account/addresses_controller.rb

@@ -33,11 +33,11 @@ module Spree
             private
 
             def collection
-              collection_finder.new(scope: scope, params: params).execute
+              collection_finder.new(scope: scope, params: finder_params).execute
             end
 
             def scope
-              super.not_deleted
+              super.where(user: spree_current_user).not_deleted
             end
 
             def model_class
@@ -56,10 +56,6 @@ module Spree
               Spree::Api::Dependencies.storefront_address_serializer.constantize
             end
 
-            def serialize_collection(collection)
-              collection_serializer.new(collection).serializable_hash
-            end
-
             def create_service
               Spree::Api::Dependencies.storefront_account_create_address_service.constantize
             end
@@ -71,14 +67,6 @@ module Spree
             def address_params
               params.require(:address).permit(permitted_address_attributes)
             end
-
-            def render_result(result)
-              if result.success?
-                render_serialized_payload { serialize_resource(result.value) }
-              else
-                render_error_payload(result.error)
-              end
-            end
           end
         end
       end

data/app/controllers/spree/api/v2/storefront/account/credit_cards_controller.rb

@@ -6,14 +6,24 @@ module Spree
           class CreditCardsController < ::Spree::Api::V2::ResourceController
             before_action :require_spree_current_user
 
+            def destroy
+              spree_authorize! :destroy, resource, resource
+
+              destroy_service.call(card: resource)
+            end
+
             private
 
+            def resource
+              params[:id].eql?('default') ? scope.default.first! : scope.find(params[:id])
+            end
+
             def model_class
               Spree::CreditCard
             end
 
             def scope
-              super.where(user: spree_current_user)
+              super.where(user: spree_current_user, payment_method: current_store.payment_methods.available_on_front_end)
             end
 
             def collection_serializer
@@ -28,16 +38,8 @@ module Spree
               Spree::Api::Dependencies.storefront_credit_card_serializer.constantize
             end
 
-            def resource_finder
-              Spree::Api::Dependencies.storefront_credit_card_finder.constantize
-            end
-
-            def serialize_collection(collection)
-              collection_serializer.new(
-                collection,
-                include: resource_includes,
-                fields: sparse_fields
-              ).serializable_hash
+            def destroy_service
+              Spree::Api::Dependencies.storefront_credit_cards_destroy_service.constantize
             end
           end
         end

data/app/controllers/spree/api/v2/storefront/account/orders_controller.rb

@@ -9,11 +9,11 @@ module Spree
             private
 
             def collection
-              collection_finder.new(user: spree_current_user).execute
+              collection_finder.new(user: spree_current_user, store: current_store).execute
             end
 
             def resource
-              resource = resource_finder.new(user: spree_current_user, number: params[:id]).execute.take
+              resource = resource_finder.new(user: spree_current_user, number: params[:id], store: current_store).execute.take
               raise ActiveRecord::RecordNotFound if resource.nil?
 
               resource

data/app/controllers/spree/api/v2/storefront/account_controller.rb

@@ -3,7 +3,18 @@ module Spree
     module V2
       module Storefront
         class AccountController < ::Spree::Api::V2::ResourceController
-          before_action :require_spree_current_user
+          before_action :require_spree_current_user, except: :create
+
+          def create
+            result = create_service.call(user_params: user_create_params)
+            render_result(result)
+          end
+
+          def update
+            spree_authorize! :update, spree_current_user
+            result = update_service.call(user: spree_current_user, user_params: user_update_params)
+            render_result(result)
+          end
 
           private
 
@@ -14,6 +25,26 @@ module Spree
           def resource_serializer
             Spree::Api::Dependencies.storefront_user_serializer.constantize
           end
+
+          def model_class
+            Spree.user_class
+          end
+
+          def create_service
+            Spree::Api::Dependencies.storefront_account_create_service.constantize
+          end
+
+          def update_service
+            Spree::Api::Dependencies.storefront_account_update_service.constantize
+          end
+
+          def user_create_params
+            user_update_params.except(:bill_address_id, :ship_address_id)
+          end
+
+          def user_update_params
+            params.require(:user).permit(permitted_user_attributes)
+          end
         end
       end
     end

data/app/controllers/spree/api/v2/storefront/cart_controller.rb

@@ -50,11 +50,25 @@ module Spree
           def empty
             spree_authorize! :update, spree_current_order, order_token
 
-            # TODO: we should extract this logic into service and let
-            # developers overwrite it
-            spree_current_order.empty!
+            result = empty_cart_service.call(order: spree_current_order)
 
-            render_serialized_payload { serialized_current_order }
+            if result.success?
+              render_serialized_payload { serialized_current_order }
+            else
+              render_error_payload(result.error)
+            end
+          end
+
+          def destroy
+            spree_authorize! :update, spree_current_order, order_token
+
+            result = destroy_cart_service.call(order: spree_current_order)
+
+            if result.success?
+              head 204
+            else
+              render_error_payload(result.error)
+            end
           end
 
           def set_quantity
@@ -128,6 +142,14 @@ module Spree
             Spree::Api::Dependencies.storefront_cart_add_item_service.constantize
           end
 
+          def empty_cart_service
+            Spree::Api::Dependencies.storefront_cart_empty_service.constantize
+          end
+
+          def destroy_cart_service
+            Spree::Api::Dependencies.storefront_cart_destroy_service.constantize
+          end
+
           def set_item_quantity_service
             Spree::Api::Dependencies.storefront_cart_set_item_quantity_service.constantize
           end
@@ -149,7 +171,7 @@ module Spree
           end
 
           def load_variant
-            @variant = Spree::Variant.find(params[:variant_id])
+            @variant = current_store.variants.find(params[:variant_id])
           end
 
           def render_error_item_quantity
@@ -163,7 +185,7 @@ module Spree
           def serialize_estimated_shipping_rates(shipping_rates)
             estimate_shipping_rates_serializer.new(
               shipping_rates,
-              params: { currency: spree_current_order.currency }
+              params: serializer_params
             ).serializable_hash
           end
 

data/app/controllers/spree/api/v2/storefront/checkout_controller.rb

@@ -119,12 +119,13 @@ module Spree
           end
 
           def serialize_payment_methods(payment_methods)
-            payment_methods_serializer.new(payment_methods).serializable_hash
+            payment_methods_serializer.new(payment_methods, params: serializer_params).serializable_hash
           end
 
           def serialize_shipping_rates(shipments)
             shipping_rates_serializer.new(
               shipments,
+              params: serializer_params,
               include: [:shipping_rates, :stock_location]
             ).serializable_hash
           end