spree_api 5.4.3 → 5.5.0.rc2

data/app/controllers/spree/api/v3/admin/orders_controller.rb

@@ -0,0 +1,190 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class OrdersController < ResourceController
+          include Spree::Api::V3::OrderLock
+
+          scoped_resource :orders
+
+          skip_before_action :set_resource, only: [:index, :create]
+          before_action :set_resource, only: [:show, :update, :destroy, :complete, :cancel, :approve, :resume, :resend_confirmation]
+
+          # POST /api/v3/admin/orders
+          def create
+            authorize!(:create, Spree::Order)
+
+            result = Spree.order_create_service.call(
+              store: current_store,
+              user: resolve_user,
+              params: order_create_params
+            )
+
+            if result.success?
+              @resource = result.value
+              render json: serialize_resource(@resource), status: :created
+            else
+              render_service_error(result.error)
+            end
+          end
+
+          # PATCH /api/v3/admin/orders/:id
+          def update
+            with_order_lock do
+              result = Spree.order_update_service.call(
+                order: @resource,
+                params: order_update_params
+              )
+
+              if result.success?
+                render json: serialize_resource(result.value)
+              else
+                render_validation_error(@resource.errors.presence || result.error)
+              end
+            end
+          end
+
+          # PATCH /api/v3/admin/orders/:id/complete
+          def complete
+            with_order_lock do
+              result = Spree.order_complete_service.call(
+                order: @resource,
+                payment_pending: ActiveModel::Type::Boolean.new.cast(params[:payment_pending]),
+                notify_customer: ActiveModel::Type::Boolean.new.cast(params[:notify_customer])
+              )
+
+              if result.success?
+                render json: serialize_resource(@resource.reload)
+              else
+                render_service_error(@resource.errors.presence || result.error, code: ERROR_CODES[:order_cannot_complete])
+              end
+            end
+          end
+
+          # PATCH /api/v3/admin/orders/:id/cancel
+          def cancel
+            with_order_lock do
+              @resource.canceled_by(try_spree_current_user)
+              render json: serialize_resource(@resource.reload)
+            end
+          end
+
+          # PATCH /api/v3/admin/orders/:id/approve
+          def approve
+            with_order_lock do
+              @resource.approved_by(try_spree_current_user)
+              render json: serialize_resource(@resource.reload)
+            end
+          end
+
+          # PATCH /api/v3/admin/orders/:id/resume
+          def resume
+            with_order_lock do
+              @resource.resume!
+              render json: serialize_resource(@resource.reload)
+            end
+          end
+
+          # POST /api/v3/admin/orders/:id/resend_confirmation
+          def resend_confirmation
+            @resource.publish_event('order.completed')
+            render json: serialize_resource(@resource)
+          end
+
+          protected
+
+          def model_class
+            Spree::Order
+          end
+
+          def serializer_class
+            Spree.api.admin_order_serializer
+          end
+
+          # Override scope — Order uses SingleStoreResource (for_store)
+          def scope
+            current_store.orders.accessible_by(current_ability, :show).preload_associations_lazily
+          end
+
+          def set_resource
+            @resource = scope.find_by_prefix_id!(params[:id])
+            @order = @resource # needed for OrderLock
+            authorize_resource!(@resource)
+          end
+
+          # Map state transition actions to :update permission
+          def authorize_resource!(resource = @resource, action = action_name.to_sym)
+            mapped_action = case action
+                            when :complete, :cancel, :approve, :resume, :resend_confirmation
+                              :update
+                            else
+                              action
+                            end
+            authorize!(mapped_action, resource)
+          end
+
+          def collection_includes
+            [:line_items, :user, :channel, :rich_text_internal_note]
+          end
+
+          private
+
+          def resolve_user
+            customer_param = params[:customer_id].presence || params[:user_id].presence
+            return unless customer_param
+
+            Spree.user_class.find_by_param!(customer_param)
+          end
+
+          def order_create_params
+            normalize_params(
+              params.permit(
+                :email, :customer_id, :user_id, :use_customer_default_address,
+                :currency, :market_id, :channel_id, :locale,
+                :customer_note, :internal_note,
+                :shipping_address_id, :billing_address_id,
+                :preferred_stock_location_id,
+                :coupon_code,
+                metadata: {},
+                tags: [],
+                shipping_address: address_permitted_keys,
+                billing_address: address_permitted_keys,
+                items: item_permitted_keys
+              )
+            )
+          end
+
+          def order_update_params
+            normalize_params(
+              params.permit(
+                :email, :customer_id, :user_id,
+                :customer_note, :internal_note,
+                :currency, :locale, :market_id, :channel_id,
+                :preferred_stock_location_id,
+                metadata: {},
+                tags: [],
+                ship_address: address_permitted_keys,
+                bill_address: address_permitted_keys,
+                items: item_permitted_keys
+              )
+            )
+          end
+
+          def address_permitted_keys
+            [
+              :firstname, :lastname, :first_name, :last_name,
+              :address1, :address2, :city,
+              :country_iso, :state_abbr, :country_id, :state_id,
+              :zipcode, :postal_code, :phone, :alternative_phone,
+              :state_name, :company, :label
+            ]
+          end
+
+          def item_permitted_keys
+            [:variant_id, :quantity, { metadata: {} }]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/payment_methods_controller.rb

@@ -0,0 +1,73 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class PaymentMethodsController < ResourceController
+          include Spree::Api::V3::Admin::SubclassedResource
+
+          scoped_resource :settings
+
+          subclassed_via -> { Spree::PaymentMethod.providers },
+                         unknown_type_error: 'unknown_payment_method_type'
+
+          # Lists available payment provider subclasses for the create form.
+          # Returns: { data: [{ type, label, description, preference_schema }] }.
+          # The preference_schema array describes the provider-specific
+          # configuration fields, so admin UIs can render a generic
+          # preferences form without hard-coding per-provider knowledge.
+          # Filters out subclasses already installed in the current store —
+          # mirrors the legacy admin's "available_payment_methods" helper, so
+          # admins don't see (and accidentally double-install) the same
+          # provider twice.
+          def types
+            authorize! :create, model_class
+
+            # Query via direct join rather than `current_store.payment_methods`
+            # — the has_many-through association can cache stale results when
+            # `current_store` was loaded earlier in the request (e.g. by the
+            # auth layer).
+            installed_class_names = Spree::PaymentMethod
+                                      .joins(:store_payment_methods)
+                                      .where(spree_payment_methods_stores: { store_id: current_store.id })
+                                      .pluck(:type)
+            installed_shorthands = installed_class_names.filter_map do |name|
+              name.safe_constantize&.api_type
+            end
+            available = model_class.subclasses_with_preference_schema.reject do |entry|
+              installed_shorthands.include?(entry[:type])
+            end
+
+            render json: { data: available }
+          end
+
+          protected
+
+          def model_class
+            Spree::PaymentMethod
+          end
+
+          def serializer_class
+            Spree.api.admin_payment_method_serializer
+          end
+
+          # Explicit allowlist per the v3 convention — flat params, no
+          # reach into the global `Spree::PermittedAttributes` registry
+          # (which is the legacy Rails admin's surface). `type` and
+          # `preferences` are added by `SubclassedResource` on top.
+          def permitted_params
+            params.permit(:name, :description, :active, :storefront_visible, :auto_capture, :position, metadata: {}, preferences: {})
+          end
+
+          private
+
+          # New payment methods get scoped to the current store automatically.
+          def build_subclassed_resource(klass, attrs)
+            resource = klass.new(attrs)
+            resource.stores = [current_store] if resource.stores.empty?
+            resource
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/price_lists_controller.rb

@@ -0,0 +1,179 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin CRUD for `Spree::PriceList`, plus the lifecycle transitions
+        # (`activate` / `deactivate`) and the spreadsheet's data feed
+        # (`prices`).
+        #
+        # Everything writable on the list — name, schedule, match policy,
+        # product membership (`product_ids: [...]`), nested rules
+        # (`rules: [...]`), and individual price overrides
+        # (`prices: [...]`) — flows through the regular PATCH payload, so
+        # the SPA saves the entire editor in one round-trip. No separate
+        # add_products / remove_products / add_rule / bulk_update_prices
+        # endpoints.
+        #
+        # Scoped under the `products` API-key scope — price lists are a
+        # product/pricing concern; we don't introduce a separate
+        # `read_price_lists` scope.
+        class PriceListsController < ResourceController
+          scoped_resource :products
+
+          # The base ResourceController limits `set_resource` to
+          # `show/update/destroy`. We need it on the custom member
+          # actions below too, so swap in our own filter — Rails keys
+          # before_actions by method name, so this would otherwise
+          # *replace* the parent's narrower filter and break the standard
+          # actions. Wrapping it under a different name keeps both.
+          before_action :load_member_resource, only: [:activate, :deactivate, :prices]
+
+          # GET /api/v3/admin/price_lists/price_rule_types
+          #
+          # Returns `[{ type, label, description, preference_schema }]`
+          # for every registered subclass in `Spree.pricing.rules`. The
+          # SPA uses this to build the "Add rule" picker + render a
+          # generic preferences form per subclass. Rules themselves are
+          # not a separate REST resource — they ride along on the price
+          # list's PATCH body via `rules: [...]`.
+          def price_rule_types
+            authorize! :read, Spree::PriceRule
+            render json: { data: Spree::PriceRule.subclasses_with_preference_schema }
+          end
+
+          # PATCH /api/v3/admin/price_lists/:id/activate
+          #
+          # State transition: draft|inactive → active (or → scheduled when
+          # `starts_at` is in the future). Mirrors the old Rails admin's
+          # "Activate" button which automatically scheduled future lists.
+          def activate
+            authorize! :update, @resource
+            event = @resource.starts_at.present? && @resource.starts_at.future? ? :schedule : :activate
+
+            if @resource.send(event)
+              render json: serialize_resource(@resource)
+            else
+              render_validation_error(@resource.errors)
+            end
+          end
+
+          # PATCH /api/v3/admin/price_lists/:id/deactivate
+          def deactivate
+            authorize! :update, @resource
+
+            if @resource.deactivate
+              render json: serialize_resource(@resource)
+            else
+              render_validation_error(@resource.errors)
+            end
+          end
+
+          # GET /api/v3/admin/price_lists/:id/prices
+          #
+          # The spreadsheet editor's data source. Returns every Price row
+          # in this list (filtered by `?currency=`), eager-loading
+          # `variant.product` + option values so each cell can render
+          # product name, variant options and SKU without N+1.
+          def prices
+            authorize! :read, @resource
+            currency = params[:currency].presence || current_store.default_currency
+            prices = @resource.prices
+                              .includes(variant: [:product, { option_values: :option_type }])
+                              .where(currency: currency)
+                              .joins(variant: :product)
+                              .order(Arel.sql("#{Spree::Product.table_name}.name ASC"))
+                              .order(Arel.sql("#{Spree::Variant.table_name}.position ASC"))
+
+            render json: {
+              data: prices.map { |p| serialize_price(p) },
+              meta: { currency: currency, count: prices.size }
+            }
+          end
+
+          protected
+
+          def model_class
+            Spree::PriceList
+          end
+
+          def serializer_class
+            Spree.api.admin_price_list_serializer
+          end
+
+          def scope
+            super.for_store(current_store)
+          end
+
+          def permitted_params
+            attrs = normalize_params(
+              params.permit(
+                :name, :description, :position,
+                :starts_at, :ends_at, :match_policy,
+                product_ids: [],
+                rules: [:id, :type, { preferences: {} }],
+                prices: [:id, :variant_id, :currency, :amount, :compare_at_amount]
+              )
+            )
+            reject_foreign_membership(attrs)
+          end
+
+          # The PriceList model setters (`product_ids=`, `prices=`) resolve
+          # member ids with no store scoping, so a list in this store could
+          # otherwise be populated with another store's products/variants.
+          # Drop any id that isn't in the current store before assignment.
+          def reject_foreign_membership(attrs)
+            if attrs[:product_ids].present?
+              store_product_ids = current_store.products.where(id: attrs[:product_ids]).pluck(:id).map(&:to_s).to_set
+              attrs[:product_ids] = Array(attrs[:product_ids]).select { |id| store_product_ids.include?(id.to_s) }
+            end
+
+            if attrs[:prices].present?
+              incoming = Array(attrs[:prices])
+              store_variant_ids = current_store.variants.where(id: incoming.map { |r| r[:variant_id] }.compact).
+                                  pluck(:id).map(&:to_s).to_set
+              attrs[:prices] = incoming.select do |row|
+                row[:variant_id].blank? || store_variant_ids.include?(row[:variant_id].to_s)
+              end
+            end
+
+            attrs
+          end
+
+          private
+
+          # Loads the record without the action-derived authorization
+          # `set_resource` runs (which would check `:activate` /
+          # `:deactivate` / `:prices` — actions that abilities don't
+          # grant). The per-action methods below explicitly call
+          # `authorize!` with the standard action that ability rules
+          # actually mention (`:update` / `:read`).
+          def load_member_resource
+            @resource = find_resource
+          end
+
+          # Hand-rolled flat shape for the spreadsheet — keeps the payload
+          # narrow (no nested variant/product/option_value objects) and
+          # avoids paying for the admin Price serializer when we only need
+          # ~6 fields per row. The grouping the UI does (rows → product
+          # header) is driven entirely off `product_id`/`product_name`.
+          def serialize_price(price)
+            variant = price.variant
+            product = variant.product
+            {
+              id: price.prefixed_id,
+              variant_id: variant.prefixed_id,
+              product_id: product.prefixed_id,
+              product_name: product.name,
+              variant_label: variant.options_text.presence,
+              sku: variant.sku,
+              currency: price.currency,
+              amount: price.amount&.to_s,
+              compare_at_amount: price.compare_at_amount&.to_s
+            }
+          end
+
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/prices_controller.rb

@@ -0,0 +1,157 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Admin CRUD for `Spree::Price`. Covers both base prices
+        # (`price_list_id: nil`) and price-list overrides under one
+        # resource, filtered via Ransack predicates on the index.
+        class PricesController < ResourceController
+          include Spree::Api::V3::BulkOperations
+
+          scoped_resource :products
+
+          before_action :require_ids!, only: [:bulk_destroy]
+          before_action :require_prices!, only: [:bulk_upsert]
+
+          # Bulk-upserts prices on the unique-key triple
+          # `(variant_id, currency, price_list_id)`.
+          #
+          # @return [void]
+          def bulk_upsert
+            authorize! :create, Spree::Price
+            authorize! :update, Spree::Price
+
+            rows = Array(params[:prices]).map { |row| decode_price_row(row) }
+            invalid = rows.each_with_index.filter_map do |row, idx|
+              missing = %i[variant_id currency].reject { |k| row[k].present? }
+              { index: idx, missing: missing } if missing.any?
+            end
+            if invalid.any?
+              return render_error(
+                code: 'invalid_prices',
+                message: 'Each row must include variant_id and currency.',
+                status: :unprocessable_content,
+                details: { rows: invalid }
+              )
+            end
+
+            foreign = foreign_rows(rows)
+            if foreign.any?
+              return render_error(
+                code: 'invalid_prices',
+                message: 'Each row must reference a variant and price list in the current store.',
+                status: :unprocessable_content,
+                details: { rows: foreign }
+              )
+            end
+
+            result = Spree::Prices::BulkUpsert.call(rows: rows)
+            render json: result.value
+          end
+
+          # Soft-deletes the listed prices.
+          #
+          # @return [void]
+          def bulk_destroy
+            authorize! :destroy, Spree::Price
+
+            destroy_scope = scope.where(id: decode_ids(params[:ids]))
+            destroyed = destroy_scope.count(&:destroy)
+
+            render json: { price_count: destroyed }
+          end
+
+          protected
+
+          def model_class
+            Spree::Price
+          end
+
+          def serializer_class
+            Spree.api.admin_price_serializer
+          end
+
+          def collection_includes
+            {
+              variant: [
+                :tax_category,
+                :prices,
+                product: :tax_category,
+                option_values: :option_type,
+                stock_items: [:stock_location, :active_stock_reservations]
+              ]
+            }
+          end
+
+          # Disabled: Ransack's default `result(distinct: true)` makes
+          # Postgres reject `sort=variant_product_name` because the order
+          # column isn't in the DISTINCT select list. The store scope
+          # already guarantees one Price row per result.
+          def collection_distinct?
+            false
+          end
+
+          def permitted_params
+            normalize_params(
+              params.permit(:variant_id, :currency, :amount, :compare_at_amount, :price_list_id)
+            )
+          end
+
+          private
+
+          def bulk_record_count_key
+            :price_count
+          end
+
+          def require_prices!
+            return if params.key?(:prices)
+
+            render_error(
+              code: 'missing_prices',
+              message: 'prices is required (send an empty array to no-op).',
+              status: :unprocessable_content
+            )
+          end
+
+          def decode_price_row(row)
+            row = row.respond_to?(:to_unsafe_h) ? row.to_unsafe_h : row.to_h
+            row = row.with_indifferent_access
+
+            {
+              id: decode_id(row[:id]),
+              variant_id: decode_id(row[:variant_id]),
+              price_list_id: row.key?(:price_list_id) ? decode_id(row[:price_list_id]) : nil,
+              currency: row[:currency],
+              amount: row[:amount],
+              compare_at_amount: row[:compare_at_amount]
+            }.compact
+          end
+
+          def decode_id(value)
+            return nil if value.blank?
+
+            Spree::PrefixedId.prefixed_id?(value) ? Spree::PrefixedId.decode_prefixed_id(value) : value
+          end
+
+          # Rejects rows whose variant or price list belongs to another store.
+          # `Spree::Prices::BulkUpsert` writes rows keyed on the raw variant_id
+          # with no ownership check, so the store boundary is enforced here.
+          def foreign_rows(rows)
+            variant_ids = rows.map { |r| r[:variant_id] }.compact.uniq
+            price_list_ids = rows.map { |r| r[:price_list_id] }.compact.uniq
+
+            store_variant_ids = current_store.variants.where(id: variant_ids).pluck(:id).map(&:to_s).to_set
+            store_price_list_ids = Spree::PriceList.for_store(current_store).where(id: price_list_ids).pluck(:id).map(&:to_s).to_set
+
+            rows.each_with_index.filter_map do |row, idx|
+              variant_ok = store_variant_ids.include?(row[:variant_id].to_s)
+              price_list_ok = row[:price_list_id].blank? || store_price_list_ids.include?(row[:price_list_id].to_s)
+
+              { index: idx } unless variant_ok && price_list_ok
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/products/variants_controller.rb

@@ -0,0 +1,48 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        module Products
+          class VariantsController < ResourceController
+            scoped_resource :products
+
+            protected
+
+            def model_class
+              Spree::Variant
+            end
+
+            def serializer_class
+              Spree.api.admin_variant_serializer
+            end
+
+            def set_parent
+              @parent = current_store.products.find_by_prefix_id!(params[:product_id])
+              authorize!(:show, @parent)
+            end
+
+            def parent_association
+              :variants_including_master
+            end
+
+            def scope_includes
+              [:prices, stock_items: :stock_location]
+            end
+
+            def permitted_params
+              params.permit(
+                :sku, :barcode, :price, :compare_at_price,
+                :cost_price, :cost_currency,
+                :weight, :height, :width, :depth, :weight_unit, :dimensions_unit,
+                :track_inventory, :tax_category_id, :position,
+                options: [:name, :value],
+                prices: [:amount, :compare_at_amount, :currency],
+                stock_items: [:stock_location_id, :count_on_hand, :backorderable]
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end