spree_api 5.4.3 → 5.5.0.rc1

data/app/controllers/spree/api/v3/admin/price_lists_controller.rb

@@ -0,0 +1,156 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin CRUD for `Spree::PriceList`, plus the lifecycle transitions
+        # (`activate` / `deactivate`) and the spreadsheet's data feed
+        # (`prices`).
+        #
+        # Everything writable on the list — name, schedule, match policy,
+        # product membership (`product_ids: [...]`), nested rules
+        # (`rules: [...]`), and individual price overrides
+        # (`prices: [...]`) — flows through the regular PATCH payload, so
+        # the SPA saves the entire editor in one round-trip. No separate
+        # add_products / remove_products / add_rule / bulk_update_prices
+        # endpoints.
+        #
+        # Scoped under the `products` API-key scope — price lists are a
+        # product/pricing concern; we don't introduce a separate
+        # `read_price_lists` scope.
+        class PriceListsController < ResourceController
+          scoped_resource :products
+
+          # The base ResourceController limits `set_resource` to
+          # `show/update/destroy`. We need it on the custom member
+          # actions below too, so swap in our own filter — Rails keys
+          # before_actions by method name, so this would otherwise
+          # *replace* the parent's narrower filter and break the standard
+          # actions. Wrapping it under a different name keeps both.
+          before_action :load_member_resource, only: [:activate, :deactivate, :prices]
+
+          # GET /api/v3/admin/price_lists/price_rule_types
+          #
+          # Returns `[{ type, label, description, preference_schema }]`
+          # for every registered subclass in `Spree.pricing.rules`. The
+          # SPA uses this to build the "Add rule" picker + render a
+          # generic preferences form per subclass. Rules themselves are
+          # not a separate REST resource — they ride along on the price
+          # list's PATCH body via `rules: [...]`.
+          def price_rule_types
+            authorize! :read, Spree::PriceRule
+            render json: { data: Spree::PriceRule.subclasses_with_preference_schema }
+          end
+
+          # PATCH /api/v3/admin/price_lists/:id/activate
+          #
+          # State transition: draft|inactive → active (or → scheduled when
+          # `starts_at` is in the future). Mirrors the old Rails admin's
+          # "Activate" button which automatically scheduled future lists.
+          def activate
+            authorize! :update, @resource
+            event = @resource.starts_at.present? && @resource.starts_at.future? ? :schedule : :activate
+
+            if @resource.send(event)
+              render json: serialize_resource(@resource)
+            else
+              render_validation_error(@resource.errors)
+            end
+          end
+
+          # PATCH /api/v3/admin/price_lists/:id/deactivate
+          def deactivate
+            authorize! :update, @resource
+
+            if @resource.deactivate
+              render json: serialize_resource(@resource)
+            else
+              render_validation_error(@resource.errors)
+            end
+          end
+
+          # GET /api/v3/admin/price_lists/:id/prices
+          #
+          # The spreadsheet editor's data source. Returns every Price row
+          # in this list (filtered by `?currency=`), eager-loading
+          # `variant.product` + option values so each cell can render
+          # product name, variant options and SKU without N+1.
+          def prices
+            authorize! :read, @resource
+            currency = params[:currency].presence || current_store.default_currency
+            prices = @resource.prices
+                              .includes(variant: [:product, { option_values: :option_type }])
+                              .where(currency: currency)
+                              .joins(variant: :product)
+                              .order(Arel.sql("#{Spree::Product.table_name}.name ASC"))
+                              .order(Arel.sql("#{Spree::Variant.table_name}.position ASC"))
+
+            render json: {
+              data: prices.map { |p| serialize_price(p) },
+              meta: { currency: currency, count: prices.size }
+            }
+          end
+
+          protected
+
+          def model_class
+            Spree::PriceList
+          end
+
+          def serializer_class
+            Spree.api.admin_price_list_serializer
+          end
+
+          def scope
+            super.for_store(current_store)
+          end
+
+          def permitted_params
+            normalize_params(
+              params.permit(
+                :name, :description, :position,
+                :starts_at, :ends_at, :match_policy,
+                product_ids: [],
+                rules: [:id, :type, { preferences: {} }],
+                prices: [:id, :variant_id, :currency, :amount, :compare_at_amount]
+              )
+            )
+          end
+
+          private
+
+          # Loads the record without the action-derived authorization
+          # `set_resource` runs (which would check `:activate` /
+          # `:deactivate` / `:prices` — actions that abilities don't
+          # grant). The per-action methods below explicitly call
+          # `authorize!` with the standard action that ability rules
+          # actually mention (`:update` / `:read`).
+          def load_member_resource
+            @resource = find_resource
+          end
+
+          # Hand-rolled flat shape for the spreadsheet — keeps the payload
+          # narrow (no nested variant/product/option_value objects) and
+          # avoids paying for the admin Price serializer when we only need
+          # ~6 fields per row. The grouping the UI does (rows → product
+          # header) is driven entirely off `product_id`/`product_name`.
+          def serialize_price(price)
+            variant = price.variant
+            product = variant.product
+            {
+              id: price.prefixed_id,
+              variant_id: variant.prefixed_id,
+              product_id: product.prefixed_id,
+              product_name: product.name,
+              variant_label: variant.options_text.presence,
+              sku: variant.sku,
+              currency: price.currency,
+              amount: price.amount&.to_s,
+              compare_at_amount: price.compare_at_amount&.to_s
+            }
+          end
+
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/prices_controller.rb

@@ -0,0 +1,129 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin CRUD for `Spree::Price`. Covers both base prices
+        # (`price_list_id: nil`) and price-list overrides under one
+        # resource, filtered via Ransack predicates on the index.
+        class PricesController < ResourceController
+          include Spree::Api::V3::BulkOperations
+
+          scoped_resource :products
+
+          before_action :require_ids!, only: [:bulk_destroy]
+          before_action :require_prices!, only: [:bulk_upsert]
+
+          # Bulk-upserts prices on the unique-key triple
+          # `(variant_id, currency, price_list_id)`.
+          #
+          # @return [void]
+          def bulk_upsert
+            authorize! :create, Spree::Price
+            authorize! :update, Spree::Price
+
+            rows = Array(params[:prices]).map { |row| decode_price_row(row) }
+            invalid = rows.each_with_index.filter_map do |row, idx|
+              missing = %i[variant_id currency].reject { |k| row[k].present? }
+              { index: idx, missing: missing } if missing.any?
+            end
+            if invalid.any?
+              return render_error(
+                code: 'invalid_prices',
+                message: 'Each row must include variant_id and currency.',
+                status: :unprocessable_content,
+                details: { rows: invalid }
+              )
+            end
+
+            result = Spree::Prices::BulkUpsert.call(rows: rows)
+            render json: result.value
+          end
+
+          # Soft-deletes the listed prices.
+          #
+          # @return [void]
+          def bulk_destroy
+            authorize! :destroy, Spree::Price
+
+            destroy_scope = scope.where(id: decode_ids(params[:ids]))
+            destroyed = destroy_scope.count(&:destroy)
+
+            render json: { price_count: destroyed }
+          end
+
+          protected
+
+          def model_class
+            Spree::Price
+          end
+
+          def serializer_class
+            Spree.api.admin_price_serializer
+          end
+
+          def collection_includes
+            {
+              variant: [
+                :tax_category,
+                :prices,
+                product: :tax_category,
+                option_values: :option_type,
+                stock_items: [:stock_location, :active_stock_reservations]
+              ]
+            }
+          end
+
+          # Disabled: Ransack's default `result(distinct: true)` makes
+          # Postgres reject `sort=variant_product_name` because the order
+          # column isn't in the DISTINCT select list. The store scope
+          # already guarantees one Price row per result.
+          def collection_distinct?
+            false
+          end
+
+          def permitted_params
+            normalize_params(
+              params.permit(:variant_id, :currency, :amount, :compare_at_amount, :price_list_id)
+            )
+          end
+
+          private
+
+          def bulk_record_count_key
+            :price_count
+          end
+
+          def require_prices!
+            return if params.key?(:prices)
+
+            render_error(
+              code: 'missing_prices',
+              message: 'prices is required (send an empty array to no-op).',
+              status: :unprocessable_content
+            )
+          end
+
+          def decode_price_row(row)
+            row = row.respond_to?(:to_unsafe_h) ? row.to_unsafe_h : row.to_h
+            row = row.with_indifferent_access
+
+            {
+              id: decode_id(row[:id]),
+              variant_id: decode_id(row[:variant_id]),
+              price_list_id: row.key?(:price_list_id) ? decode_id(row[:price_list_id]) : nil,
+              currency: row[:currency],
+              amount: row[:amount],
+              compare_at_amount: row[:compare_at_amount]
+            }.compact
+          end
+
+          def decode_id(value)
+            return nil if value.blank?
+
+            Spree::PrefixedId.prefixed_id?(value) ? Spree::PrefixedId.decode_prefixed_id(value) : value
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/products/variants_controller.rb

@@ -0,0 +1,48 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        module Products
+          class VariantsController < ResourceController
+            scoped_resource :products
+
+            protected
+
+            def model_class
+              Spree::Variant
+            end
+
+            def serializer_class
+              Spree.api.admin_variant_serializer
+            end
+
+            def set_parent
+              @parent = current_store.products.find_by_prefix_id!(params[:product_id])
+              authorize!(:show, @parent)
+            end
+
+            def parent_association
+              :variants_including_master
+            end
+
+            def scope_includes
+              [:prices, stock_items: :stock_location]
+            end
+
+            def permitted_params
+              params.permit(
+                :sku, :barcode, :price, :compare_at_price,
+                :cost_price, :cost_currency,
+                :weight, :height, :width, :depth, :weight_unit, :dimensions_unit,
+                :track_inventory, :tax_category_id, :position,
+                options: [:name, :value],
+                prices: [:amount, :compare_at_amount, :currency],
+                stock_items: [:stock_location_id, :count_on_hand, :backorderable]
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/products_controller.rb

@@ -0,0 +1,237 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class ProductsController < ResourceController
+          include Spree::Api::V3::BulkOperations
+
+          scoped_resource :products
+
+          before_action :require_ids!, only: [
+            :bulk_status_update,
+            :bulk_add_to_categories,
+            :bulk_remove_from_categories,
+            :bulk_add_to_channels,
+            :bulk_remove_from_channels,
+            :bulk_destroy
+          ]
+
+          # POST /api/v3/admin/products/:id/clone
+          def clone
+            @resource = find_resource
+            authorize!(:create, @resource)
+
+            result = @resource.duplicate
+            if result.success?
+              render json: serialize_resource(result.value), status: :created
+            else
+              render_service_error(result.error)
+            end
+          end
+
+          # POST /api/v3/admin/products/bulk_status_update
+          # Body: { ids: [...], status: 'draft' | 'active' | 'archived' }
+          def bulk_status_update
+            authorize! :update, model_class
+
+            unless Spree::Product::STATUSES.include?(params[:status].to_s)
+              return render_error(
+                code: 'invalid_status',
+                message: Spree.t(:invalid_status, scope: 'errors.messages', default: 'Invalid status'),
+                status: :unprocessable_content
+              )
+            end
+
+            count = bulk_collection.update_all(status: params[:status], updated_at: Time.current)
+            # `update_all` skips `after_commit`, so the search index won't refresh on its own.
+            bulk_collection.each(&:enqueue_search_index)
+
+            render json: { product_count: count, status: params[:status] }
+          end
+
+          # POST /api/v3/admin/products/bulk_add_to_categories
+          # Body: { ids: [...], category_ids: [...] }
+          def bulk_add_to_categories
+            apply_categories(Spree::Taxons::AddProducts)
+          end
+
+          # POST /api/v3/admin/products/bulk_remove_from_categories
+          # Body: { ids: [...], category_ids: [...] }
+          def bulk_remove_from_categories
+            apply_categories(Spree::Taxons::RemoveProducts)
+          end
+
+          # POST /api/v3/admin/products/bulk_add_to_channels
+          # Body: { ids: [...], channel_ids: [...] }
+          def bulk_add_to_channels
+            authorize! :update, model_class
+
+            channels = scoped_channels
+            product_ids = bulk_collection.distinct.ids
+            channels.find_each { |channel| channel.add_products(product_ids) }
+
+            render json: { product_count: product_ids.size, channel_count: channels.size }
+          end
+
+          # POST /api/v3/admin/products/bulk_remove_from_channels
+          # Body: { ids: [...], channel_ids: [...] }
+          def bulk_remove_from_channels
+            authorize! :update, model_class
+
+            channels = scoped_channels
+            product_ids = bulk_collection.distinct.ids
+            removed = channels.sum { |channel| channel.remove_products(product_ids) }
+
+            render json: { product_count: product_ids.size, channel_count: channels.size, removed: removed }
+          end
+
+          # DELETE /api/v3/admin/products/bulk_destroy
+          # Body: { ids: [...] }
+          def bulk_destroy
+            authorize! :destroy, model_class
+
+            # Scope by `:destroy` rather than reusing `bulk_collection`
+            # (which is `:update`-scoped). Otherwise an admin with update
+            # rights but no destroy rights could soft-delete records.
+            destroy_scope = model_class.for_store(current_store)
+                                       .accessible_by(current_ability, :destroy)
+                                       .where(id: decode_ids(params[:ids]))
+            destroyed = destroy_scope.count(&:destroy)
+
+            render json: { product_count: destroyed }
+          end
+
+          protected
+
+          def model_class
+            Spree::Product
+          end
+
+          def serializer_class
+            Spree.api.admin_product_serializer
+          end
+
+          def scope_includes
+            [
+              :tax_category,
+              product_publications: :channel,
+              primary_media: [attachment_attachment: :blob],
+              master: [:prices, stock_items: [:stock_location, :active_stock_reservations]],
+              variants: [:prices, stock_items: [:stock_location, :active_stock_reservations]]
+            ]
+          end
+
+          # Use SearchProvider::Database for collection to handle price/best_selling
+          # sorting correctly (counts before sorting, avoiding PG/Mobility issues).
+          def collection
+            return @collection if @collection.present?
+
+            filters = params[:q]&.to_unsafe_h || params[:q] || {}
+            # Decode Stripe-style prefixed IDs in `*_id_in`/`id_eq`/etc. so SPA
+            # filters can pass `prod_…` keys; the search provider expects raw
+            # IDs because it goes straight to Ransack on the underlying scope.
+            filters = decode_prefixed_id_predicates(filters)
+            # `q[search]` is the global text-search predicate; pass it through
+            # the provider's `query` arg so it invokes `Product.search` rather
+            # than being treated as a Ransack predicate (which gets stripped
+            # by the provider's filter sanitizer).
+            query = filters['search'] || filters[:search]
+
+            result = search_provider.search_and_filter(
+              scope: scope.includes(collection_includes).preload_associations_lazily.accessible_by(current_ability, :show),
+              query: query,
+              filters: filters,
+              sort: sort_param,
+              page: page,
+              limit: limit
+            )
+
+            @pagy = result.pagy
+            @collection = result.products
+          end
+
+          def permitted_params
+            # Product is purely a catalog grouping in API v3. All purchasable
+            # attributes (sku, barcode, price, weight, dimensions, stock,
+            # track_inventory) live on variants. See
+            # docs/plans/6.0-remove-master-variant.md.
+            #
+            # Top-level `prices` is a convenience for simple (no-options)
+            # products: the merchant doesn't need to know the master variant
+            # exists, so they ship prices alongside name/status and the
+            # `Spree::Product#prices=` setter forwards them to the master.
+            params.permit(
+              :name, :description, :slug, :status,
+              :meta_title, :meta_description, :meta_keywords,
+              :tax_category_id,
+              :promotionable, :digital,
+              tags: [],
+              category_ids: [],
+              metadata: {},
+              prices: [:amount, :compare_at_amount, :currency],
+              # Inline custom field values keyed by definition id. The model
+              # setter (`Spree::Metafields#custom_fields=`) validates each
+              # entry against its definition. We permit `value` as both a
+              # scalar AND `value: {}` (any-shape Hash/Array) — Strong
+              # Parameters merges them so JSON metafields can ship parsed
+              # objects while text/number/boolean ship scalars.
+              custom_fields: [:id, :custom_field_definition_id, :value, value: {}],
+              # Inline media. Entries with `id` patch an existing asset
+              # (alt, position, variant_ids). Entries with `signed_id` create
+              # + attach a fresh upload. Lets the dashboard ship media changes
+              # alongside the rest of the product form. See
+              # `Spree::Product#media=`.
+              media: [:id, :signed_id, :alt, :position, :type, variant_ids: []],
+              product_publications: [:id, :channel_id, :published_at, :unpublished_at],
+              variants: [
+                :id, :sku, :barcode,
+                :cost_price, :cost_currency,
+                :weight, :height, :width, :depth, :weight_unit, :dimensions_unit,
+                :track_inventory, :tax_category_id, :position,
+                options: [:name, :value],
+                prices: [:amount, :compare_at_amount, :currency],
+                stock_items: [:id, :stock_location_id, :count_on_hand, :backorderable]
+              ]
+            )
+          end
+
+          private
+
+          def search_provider
+            @search_provider ||= Spree::SearchProvider::Database.new(current_store)
+          end
+
+          # Mirrors `Spree::Admin::ProductsController#after_bulk_tags_change`:
+          # tag changes can flip automatic-taxon matches, and `Tags::Bulk*`
+          # touch records via `touch_all` (which skips `after_commit`), so the
+          # search index needs an explicit kick.
+          def after_bulk_tags_change
+            Spree::Product.bulk_auto_match_taxons(current_store, bulk_collection.ids)
+            bulk_collection.each(&:enqueue_search_index)
+          end
+
+          def bulk_record_count_key
+            :product_count
+          end
+
+          def apply_categories(service)
+            authorize! :update, model_class
+
+            category_ids = decode_ids(params[:category_ids])
+            categories = current_store.taxons.accessible_by(current_ability, :update).where(id: category_ids)
+
+            service.call(taxons: categories, products: bulk_collection)
+            Spree::Product.bulk_auto_match_taxons(current_store, bulk_collection.ids)
+
+            render json: { product_count: bulk_collection.size, category_count: categories.size }
+          end
+
+          def scoped_channels
+            channel_ids = decode_ids(params[:channel_ids])
+            current_store.channels.accessible_by(current_ability, :manage).where(id: channel_ids)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/promotion_actions_controller.rb

@@ -0,0 +1,78 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # CRUD for `Spree::PromotionAction` STI subclasses. Each action is
+        # nested under a promotion; the create body picks the subclass via
+        # `type` and the typed-preferences shape (`preferences: {...}`).
+        class PromotionActionsController < ResourceController
+          include Spree::Api::V3::Admin::SubclassedResource
+
+          scoped_resource :promotions
+
+          subclassed_via -> { Spree.promotions.actions },
+                         unknown_type_error: 'unknown_promotion_action_type'
+
+          def types
+            authorize! :read, model_class
+
+            render json: { data: model_class.subclasses_with_preference_schema }
+          end
+
+          # Returns the calculator subclasses registered for the given action
+          # `type` (e.g. `?type=Spree::Promotion::Actions::CreateAdjustment`).
+          # Each entry includes the calculator's class name, label,
+          # description, and preference schema so the SPA can render the
+          # picker + nested fields without hardcoding the calculator list.
+          def calculators
+            authorize! :read, model_class
+
+            klass = resolve_subclass(params[:type])
+            return render_unknown_type unless klass && klass.respond_to?(:calculators)
+
+            data = klass.calculators.map do |calc|
+              {
+                type: calc.to_s,
+                label: calc.respond_to?(:description) ? calc.description : calc.to_s.demodulize.titleize,
+                preference_schema: calc.respond_to?(:serialized_preference_schema) ? calc.serialized_preference_schema : []
+              }
+            end.sort_by { |entry| entry[:label].to_s }
+
+            render json: { data: data }
+          end
+
+          protected
+
+          def model_class
+            Spree::PromotionAction
+          end
+
+          def serializer_class
+            Spree.api.admin_promotion_action_serializer
+          end
+
+          def permitted_params
+            params.permit(:type, preferences: {})
+          end
+
+          def set_parent
+            return if %w[types calculators].include?(action_name)
+
+            @parent = Spree::Promotion.accessible_by(current_ability, :show)
+                                      .find_by_prefix_id!(params[:promotion_id])
+          end
+
+          def parent_association
+            :promotion_actions
+          end
+
+          private
+
+          def build_subclassed_resource(klass, attrs)
+            klass.new(attrs.merge(promotion: @parent))
+          end
+        end
+      end
+    end
+  end
+end