RubyGems - spree_api - Versions diffs - 5.4.3 → 5.5.0.rc1 - Mend

spree_api 5.4.3 → 5.5.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

data/app/controllers/spree/api/v3/admin/promotion_rules_controller.rb ADDED Viewed

@@ -0,0 +1,56 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # CRUD for `Spree::PromotionRule` STI subclasses. Same shape as
+        # PromotionActionsController — only the registry differs
+        # (`Spree.promotions.rules` instead of `Spree.promotions.actions`).
+        class PromotionRulesController < ResourceController
+          include Spree::Api::V3::Admin::SubclassedResource
+          scoped_resource :promotions
+          subclassed_via -> { Spree.promotions.rules },
+                         unknown_type_error: 'unknown_promotion_rule_type'
+          def types
+            authorize! :read, model_class
+            render json: { data: model_class.subclasses_with_preference_schema }
+          end
+          protected
+          def model_class
+            Spree::PromotionRule
+          end
+          def serializer_class
+            Spree.api.admin_promotion_rule_serializer
+          end
+          def permitted_params
+            params.permit(:type, preferences: {})
+          end
+          def set_parent
+            return if action_name == 'types'
+            @parent = Spree::Promotion.accessible_by(current_ability, :show)
+                                      .find_by_prefix_id!(params[:promotion_id])
+          end
+          def parent_association
+            :promotion_rules
+          end
+          private
+          def build_subclassed_resource(klass, attrs)
+            klass.new(attrs.merge(promotion: @parent))
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/promotions_controller.rb ADDED Viewed

@@ -0,0 +1,78 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class PromotionsController < ResourceController
+          scoped_resource :promotions
+          protected
+          def model_class
+            Spree::Promotion
+          end
+          def serializer_class
+            Spree.api.admin_promotion_serializer
+          end
+          def collection_includes
+            promotion_includes
+          end
+          def scope_includes
+            promotion_includes
+          end
+          # A single POST/PATCH /promotions can ship rules and actions
+          # alongside the basics; `Promotion#rules=` / `actions=` reconcile
+          # to the desired set. The nested allowlist below is the union of
+          # every built-in rule/action's expected keys. Plugin-defined
+          # subclasses can add to it — see `additional_permitted_attributes`
+          # below.
+          def permitted_params
+            normalize_params(params.permit(*permitted_attributes))
+          end
+          def permitted_attributes
+            [
+              :name, :description, :code, :path,
+              :starts_at, :expires_at, :usage_limit, :match_policy,
+              :kind, :multi_codes, :number_of_codes, :code_prefix,
+              :promotion_category_id,
+              rules: rule_attributes,
+              actions: action_attributes
+            ]
+          end
+          def rule_attributes
+            [:id, :type, { preferences: {} }, *subclassed_collection_attributes(Spree.promotions.rules)]
+          end
+          def action_attributes
+            [
+              :id, :type,
+              { preferences: {} },
+              { calculator: [:type, { preferences: {} }] },
+              *subclassed_collection_attributes(Spree.promotions.actions)
+            ]
+          end
+          # Pulls in plugin-defined permitted attributes from every
+          # registered rule/action subclass. Subclasses declare these via
+          # `additional_permitted_attributes` (e.g. `[product_ids: []]`).
+          def subclassed_collection_attributes(registry)
+            registry.flat_map do |klass|
+              klass.respond_to?(:additional_permitted_attributes) ? klass.additional_permitted_attributes : []
+            end.uniq
+          end
+          private
+          def promotion_includes
+            [:stores, :promotion_actions, :promotion_rules]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/resource_controller.rb CHANGED Viewed

@@ -2,24 +2,42 @@ module Spree
   module Api
     module V3
       module Admin
+        # Mirrors Admin::BaseController's concerns. Both classes anchor parallel
+        # inheritance branches (V3::BaseController vs V3::ResourceController);
+        # any concern added here MUST also be added to Admin::BaseController.
         class ResourceController < Spree::Api::V3::ResourceController
-          # Require secret API key for all Admin API requests
-          before_action :authenticate_secret_key!
-          # Admin API responses must never be cached
-          after_action :set_no_store_cache
+          include Spree::Api::V3::AdminAuthentication
+          include Spree::Api::V3::ScopedAuthorization
           protected
-          # Override JWT audience to require admin tokens
-          def expected_audience
-            JWT_AUDIENCE_ADMIN
+          def authenticate_request!
+            authenticate_admin!
           end
-          private
+          # Render error from ServiceModule::Result, extracting ActiveModel::Errors
+          # from the ResultError wrapper to get proper validation_error responses.
+          def render_result_error(result)
+            error = result.error
+            errors = error.respond_to?(:value) ? error.value : error
+            if errors.is_a?(ActiveModel::Errors)
+              render_validation_error(errors)
+            else
+              render_service_error(error)
+            end
+          end
+          def decode_ids(ids, klass)
+            Array(ids).map do |id|
+              Spree::PrefixedId.prefixed_id?(id) ? klass.find_by_param!(id).id : id
+            end
+          end
-          def set_no_store_cache
-            response.headers['Cache-Control'] = 'private, no-store'
+          def decode_prefixed_ids(ids)
+            Array(ids).map do |id|
+              Spree::PrefixedId.prefixed_id?(id) ? Spree::PrefixedId.decode_prefixed_id(id) : id
+            end
           end
         end
       end

data/app/controllers/spree/api/v3/admin/roles_controller.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Read-only list of roles available for staff role pickers (invite +
+        # edit forms). Roles are global, not per-store; CRUD is handled
+        # outside the SPA today and may grow into a richer permissions UI
+        # later. The controller ignores `current_store` for that reason.
+        class RolesController < ResourceController
+          scoped_resource :settings
+          protected
+          def model_class
+            Spree::Role
+          end
+          def serializer_class
+            Spree.api.admin_role_serializer
+          end
+          def scope
+            Spree::Role.accessible_by(current_ability, :show)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_items_controller.rb ADDED Viewed

@@ -0,0 +1,35 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Stock items are auto-created when a variant lands at a stock
+        # location, so there's deliberately no `create` route — use the
+        # variants / stock-locations endpoints for that flow.
+        class StockItemsController < ResourceController
+          scoped_resource :settings
+          protected
+          def model_class
+            Spree::StockItem
+          end
+          def serializer_class
+            Spree.api.admin_stock_item_serializer
+          end
+          def collection_includes
+            [:stock_location, :variant]
+          end
+          # `StockItem.for_store` already applies its own `distinct`, and
+          # `id`-asc gives a stable order across edits (variant.position
+          # alone isn't unique — see git blame for the row-jumping bug).
+          def apply_collection_sort(collection)
+            collection.order(Spree::StockItem.arel_table[:id].asc)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_locations_controller.rb ADDED Viewed

@@ -0,0 +1,36 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StockLocationsController < ResourceController
+          scoped_resource :settings
+          protected
+          def model_class
+            Spree::StockLocation
+          end
+          def serializer_class
+            Spree.api.admin_stock_location_serializer
+          end
+          def scope
+            super.order_default
+          end
+          def permitted_params
+            params.permit(
+              :name, :admin_name, :active, :default,
+              :kind, :propagate_all_variants, :backorderable_default,
+              :address1, :address2, :city, :zipcode, :phone, :company,
+              :country_iso, :state_abbr, :state_name,
+              :pickup_enabled, :pickup_stock_policy,
+              :pickup_ready_in_minutes, :pickup_instructions
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_reservations_controller.rb ADDED Viewed

@@ -0,0 +1,29 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StockReservationsController < ResourceController
+          scoped_resource :stock
+          protected
+          def model_class
+            Spree::StockReservation
+          end
+          def serializer_class
+            Spree.api.admin_stock_reservation_serializer
+          end
+          def scope
+            Spree::StockReservation.for_store(current_store)
+          end
+          def collection_includes
+            [{ stock_item: [:variant, :stock_location], line_item: [], order: [] }]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_transfers_controller.rb ADDED Viewed

@@ -0,0 +1,75 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Inventory movement between stock locations, or vendor → location
+        # for receives. Pass `source_location_id` for transfers; omit it to
+        # record an external receive.
+        class StockTransfersController < ResourceController
+          scoped_resource :settings
+          def create
+            authorize!(:create, model_class)
+            destination = Spree::StockLocation.find_by_prefix_id!(params[:destination_location_id])
+            source = params[:source_location_id].present? ?
+              Spree::StockLocation.find_by_prefix_id!(params[:source_location_id]) : nil
+            variants_map = build_variants_map
+            if variants_map.empty?
+              return render_error(
+                code: 'invalid_variants',
+                message: Spree.t('stock_transfer.errors.must_have_variant'),
+                status: :unprocessable_content
+              )
+            end
+            @resource = source ?
+              Spree::StockTransfer.new(reference: params[:reference]).tap { |t| t.transfer(source, destination, variants_map) } :
+              Spree::StockTransfer.new(reference: params[:reference]).tap { |t| t.receive(destination, variants_map) }
+            if @resource.persisted?
+              render json: serialize_resource(@resource), status: :created
+            else
+              render_validation_error(@resource.errors)
+            end
+          end
+          protected
+          def model_class
+            Spree::StockTransfer
+          end
+          def serializer_class
+            Spree.api.admin_stock_transfer_serializer
+          end
+          def collection_includes
+            [:source_location, :destination_location]
+          end
+          private
+          # Variants the merchant doesn't have access to are dropped silently;
+          # if the resulting map is empty the action surfaces a 422
+          # `invalid_variants` so callers can distinguish "nothing supplied"
+          # from "all variants were rejected." A single SELECT covers any
+          # number of variants instead of N round-trips.
+          def build_variants_map
+            entries = params.permit(variants: [:variant_id, :quantity]).fetch(:variants, [])
+            quantities_by_id = entries.each_with_object({}) do |entry, hash|
+              decoded = Spree::PrefixedId.decode_prefixed_id(entry[:variant_id])
+              hash[decoded.to_i] = entry[:quantity].to_i if decoded
+            end
+            Spree::Variant.where(id: quantities_by_id.keys).each_with_object({}) do |variant, acc|
+              quantity = quantities_by_id[variant.id]
+              acc[variant] = quantity if quantity&.positive?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/store_controller.rb ADDED Viewed

@@ -0,0 +1,53 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StoreController < Admin::BaseController
+          scoped_resource :settings
+          # GET /api/v3/admin/store
+          def show
+            authorize! :show, current_store
+            render json: serialize_store
+          end
+          # PATCH /api/v3/admin/store
+          def update
+            authorize! :update, current_store
+            if current_store.update(permitted_params)
+              render json: serialize_store
+            else
+              render_validation_error(current_store.errors)
+            end
+          end
+          private
+          def serialize_store
+            serializer_class.new(current_store, params: serializer_params).to_h
+          end
+          def serializer_class
+            Spree.api.admin_store_serializer
+          end
+          def permitted_params
+            params.permit(
+              :name,
+              :preferred_admin_locale,
+              :preferred_timezone,
+              :preferred_weight_unit,
+              :preferred_unit_system,
+              :mail_from_address,
+              :customer_support_email,
+              :new_order_notifications_email,
+              :preferred_send_consumer_transactional_emails,
+              :mailer_logo
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/store_credit_categories_controller.rb ADDED Viewed

@@ -0,0 +1,21 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StoreCreditCategoriesController < ResourceController
+          scoped_resource :settings
+          protected
+          def model_class
+            Spree::StoreCreditCategory
+          end
+          def serializer_class
+            Spree.api.admin_store_credit_category_serializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/tags_controller.rb ADDED Viewed

@@ -0,0 +1,51 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class TagsController < BaseController
+          skip_scope_check!
+          MAX_RESULTS = 50
+          def index
+            taggable_type = params[:taggable_type].to_s
+            unless allowed_taggable_types.include?(taggable_type)
+              render_error(
+                code: 'invalid_taggable_type',
+                message: "taggable_type must be one of #{allowed_taggable_types.join(', ')}",
+                status: :unprocessable_content
+              )
+              return
+            end
+            scope = ActsAsTaggableOn::Tag.
+                    joins(:taggings).
+                    where(ActsAsTaggableOn.taggings_table => { taggable_type: taggable_type, context: 'tags' }).
+                    distinct.
+                    order(:name).
+                    limit(MAX_RESULTS)
+            if params[:q].present?
+              # Escape LIKE wildcards in user input so a query like "foo_" matches
+              # only the literal underscore, not any single character.
+              escaped = params[:q].to_s.downcase.gsub(/[\\%_]/) { |c| "\\#{c}" }
+              scope = scope.where('LOWER(name) LIKE ? ESCAPE ?', "%#{escaped}%", '\\')
+            end
+            render json: { data: scope.pluck(:name).map { |name| { name: name } } }
+          end
+          private
+          # Sourced from `Spree.taggable_types` (registered in
+          # `Spree::Core::Engine`'s after_initialize block). Apps extend the
+          # list in an initializer without overriding this controller:
+          #   Spree.taggable_types << 'MyApp::Vendor'
+          def allowed_taggable_types
+            Spree.taggable_types
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/tax_categories_controller.rb ADDED Viewed

@@ -0,0 +1,21 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class TaxCategoriesController < ResourceController
+          scoped_resource :settings
+          protected
+          def model_class
+            Spree::TaxCategory
+          end
+          def serializer_class
+            Spree.api.admin_tax_category_serializer
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/variants_controller.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class VariantsController < ResourceController
+          scoped_resource :products
+          protected
+          def model_class
+            Spree::Variant
+          end
+          def serializer_class
+            Spree.api.admin_variant_serializer
+          end
+          def scope
+            current_store.variants.eligible
+          end
+          def scope_includes
+            [
+              :prices, stock_items: :stock_location,
+              option_values: :option_type,
+              primary_media: [attachment_attachment: :blob]
+            ]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/webhook_deliveries_controller.rb ADDED Viewed

@@ -0,0 +1,49 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Nested under WebhookEndpoint — deliveries are always read in the
+        # context of their endpoint (the delivery log on the endpoint detail
+        # page) and never accessed by ID at the top level.
+        class WebhookDeliveriesController < ResourceController
+          scoped_resource :settings
+          # POST /api/v3/admin/webhook_endpoints/:webhook_endpoint_id/deliveries/:id/redeliver
+          #
+          # Creates a new delivery row with the same payload + event_name and
+          # queues it. The original row is preserved for audit history.
+          #
+          # @return [Hash] the serialized newly-queued {Spree::WebhookDelivery},
+          #   HTTP 201.
+          def redeliver
+            @resource = find_resource
+            authorize!(:update, webhook_endpoint)
+            new_delivery = @resource.redeliver!
+            render json: serialize_resource(new_delivery), status: :created
+          end
+          protected
+          def model_class
+            Spree::WebhookDelivery
+          end
+          def serializer_class
+            Spree.api.admin_webhook_delivery_serializer
+          end
+          def scope
+            webhook_endpoint.webhook_deliveries.recent
+          end
+          def webhook_endpoint
+            @webhook_endpoint ||= current_store.webhook_endpoints.find_by_prefix_id!(
+              params[:webhook_endpoint_id]
+            )
+          end
+        end
+      end
+    end
+  end
+end