spree_api 5.4.3 → 5.5.0.rc2

data/app/controllers/spree/api/v3/admin/products_controller.rb

@@ -0,0 +1,237 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class ProductsController < ResourceController
+          include Spree::Api::V3::BulkOperations
+
+          scoped_resource :products
+
+          before_action :require_ids!, only: [
+            :bulk_status_update,
+            :bulk_add_to_categories,
+            :bulk_remove_from_categories,
+            :bulk_add_to_channels,
+            :bulk_remove_from_channels,
+            :bulk_destroy
+          ]
+
+          # POST /api/v3/admin/products/:id/clone
+          def clone
+            @resource = find_resource
+            authorize!(:create, @resource)
+
+            result = @resource.duplicate
+            if result.success?
+              render json: serialize_resource(result.value), status: :created
+            else
+              render_service_error(result.error)
+            end
+          end
+
+          # POST /api/v3/admin/products/bulk_status_update
+          # Body: { ids: [...], status: 'draft' | 'active' | 'archived' }
+          def bulk_status_update
+            authorize! :update, model_class
+
+            unless Spree::Product::STATUSES.include?(params[:status].to_s)
+              return render_error(
+                code: 'invalid_status',
+                message: Spree.t(:invalid_status, scope: 'errors.messages', default: 'Invalid status'),
+                status: :unprocessable_content
+              )
+            end
+
+            count = bulk_collection.update_all(status: params[:status], updated_at: Time.current)
+            # `update_all` skips `after_commit`, so the search index won't refresh on its own.
+            bulk_collection.each(&:enqueue_search_index)
+
+            render json: { product_count: count, status: params[:status] }
+          end
+
+          # POST /api/v3/admin/products/bulk_add_to_categories
+          # Body: { ids: [...], category_ids: [...] }
+          def bulk_add_to_categories
+            apply_categories(Spree::Taxons::AddProducts)
+          end
+
+          # POST /api/v3/admin/products/bulk_remove_from_categories
+          # Body: { ids: [...], category_ids: [...] }
+          def bulk_remove_from_categories
+            apply_categories(Spree::Taxons::RemoveProducts)
+          end
+
+          # POST /api/v3/admin/products/bulk_add_to_channels
+          # Body: { ids: [...], channel_ids: [...] }
+          def bulk_add_to_channels
+            authorize! :update, model_class
+
+            channels = scoped_channels
+            product_ids = bulk_collection.distinct.ids
+            channels.find_each { |channel| channel.add_products(product_ids) }
+
+            render json: { product_count: product_ids.size, channel_count: channels.size }
+          end
+
+          # POST /api/v3/admin/products/bulk_remove_from_channels
+          # Body: { ids: [...], channel_ids: [...] }
+          def bulk_remove_from_channels
+            authorize! :update, model_class
+
+            channels = scoped_channels
+            product_ids = bulk_collection.distinct.ids
+            removed = channels.sum { |channel| channel.remove_products(product_ids) }
+
+            render json: { product_count: product_ids.size, channel_count: channels.size, removed: removed }
+          end
+
+          # DELETE /api/v3/admin/products/bulk_destroy
+          # Body: { ids: [...] }
+          def bulk_destroy
+            authorize! :destroy, model_class
+
+            # Scope by `:destroy` rather than reusing `bulk_collection`
+            # (which is `:update`-scoped). Otherwise an admin with update
+            # rights but no destroy rights could soft-delete records.
+            destroy_scope = model_class.for_store(current_store)
+                                       .accessible_by(current_ability, :destroy)
+                                       .where(id: decode_ids(params[:ids]))
+            destroyed = destroy_scope.count(&:destroy)
+
+            render json: { product_count: destroyed }
+          end
+
+          protected
+
+          def model_class
+            Spree::Product
+          end
+
+          def serializer_class
+            Spree.api.admin_product_serializer
+          end
+
+          def scope_includes
+            [
+              :tax_category,
+              product_publications: :channel,
+              primary_media: [attachment_attachment: :blob],
+              master: [:prices, stock_items: [:stock_location, :active_stock_reservations]],
+              variants: [:prices, stock_items: [:stock_location, :active_stock_reservations]]
+            ]
+          end
+
+          # Use SearchProvider::Database for collection to handle price/best_selling
+          # sorting correctly (counts before sorting, avoiding PG/Mobility issues).
+          def collection
+            return @collection if @collection.present?
+
+            filters = params[:q]&.to_unsafe_h || params[:q] || {}
+            # Decode Stripe-style prefixed IDs in `*_id_in`/`id_eq`/etc. so SPA
+            # filters can pass `prod_…` keys; the search provider expects raw
+            # IDs because it goes straight to Ransack on the underlying scope.
+            filters = decode_prefixed_id_predicates(filters)
+            # `q[search]` is the global text-search predicate; pass it through
+            # the provider's `query` arg so it invokes `Product.search` rather
+            # than being treated as a Ransack predicate (which gets stripped
+            # by the provider's filter sanitizer).
+            query = filters['search'] || filters[:search]
+
+            result = search_provider.search_and_filter(
+              scope: scope.includes(collection_includes).preload_associations_lazily.accessible_by(current_ability, :show),
+              query: query,
+              filters: filters,
+              sort: sort_param,
+              page: page,
+              limit: limit
+            )
+
+            @pagy = result.pagy
+            @collection = result.products
+          end
+
+          def permitted_params
+            # Product is purely a catalog grouping in API v3. All purchasable
+            # attributes (sku, barcode, price, weight, dimensions, stock,
+            # track_inventory) live on variants. See
+            # docs/plans/6.0-remove-master-variant.md.
+            #
+            # Top-level `prices` is a convenience for simple (no-options)
+            # products: the merchant doesn't need to know the master variant
+            # exists, so they ship prices alongside name/status and the
+            # `Spree::Product#prices=` setter forwards them to the master.
+            params.permit(
+              :name, :description, :slug, :status,
+              :meta_title, :meta_description, :meta_keywords,
+              :tax_category_id,
+              :promotionable, :digital,
+              tags: [],
+              category_ids: [],
+              metadata: {},
+              prices: [:amount, :compare_at_amount, :currency],
+              # Inline custom field values keyed by definition id. The model
+              # setter (`Spree::Metafields#custom_fields=`) validates each
+              # entry against its definition. We permit `value` as both a
+              # scalar AND `value: {}` (any-shape Hash/Array) — Strong
+              # Parameters merges them so JSON metafields can ship parsed
+              # objects while text/number/boolean ship scalars.
+              custom_fields: [:id, :custom_field_definition_id, :value, value: {}],
+              # Inline media. Entries with `id` patch an existing asset
+              # (alt, position, variant_ids). Entries with `signed_id` create
+              # + attach a fresh upload. Lets the dashboard ship media changes
+              # alongside the rest of the product form. See
+              # `Spree::Product#media=`.
+              media: [:id, :signed_id, :alt, :position, :type, variant_ids: []],
+              product_publications: [:id, :channel_id, :published_at, :unpublished_at],
+              variants: [
+                :id, :sku, :barcode,
+                :cost_price, :cost_currency,
+                :weight, :height, :width, :depth, :weight_unit, :dimensions_unit,
+                :track_inventory, :tax_category_id, :position,
+                options: [:name, :value],
+                prices: [:amount, :compare_at_amount, :currency],
+                stock_items: [:id, :stock_location_id, :count_on_hand, :backorderable]
+              ]
+            )
+          end
+
+          private
+
+          def search_provider
+            @search_provider ||= Spree::SearchProvider::Database.new(current_store)
+          end
+
+          # Mirrors `Spree::Admin::ProductsController#after_bulk_tags_change`:
+          # tag changes can flip automatic-taxon matches, and `Tags::Bulk*`
+          # touch records via `touch_all` (which skips `after_commit`), so the
+          # search index needs an explicit kick.
+          def after_bulk_tags_change
+            Spree::Product.bulk_auto_match_taxons(current_store, bulk_collection.ids)
+            bulk_collection.each(&:enqueue_search_index)
+          end
+
+          def bulk_record_count_key
+            :product_count
+          end
+
+          def apply_categories(service)
+            authorize! :update, model_class
+
+            category_ids = decode_ids(params[:category_ids])
+            categories = current_store.taxons.accessible_by(current_ability, :update).where(id: category_ids)
+
+            service.call(taxons: categories, products: bulk_collection)
+            Spree::Product.bulk_auto_match_taxons(current_store, bulk_collection.ids)
+
+            render json: { product_count: bulk_collection.size, category_count: categories.size }
+          end
+
+          def scoped_channels
+            channel_ids = decode_ids(params[:channel_ids])
+            current_store.channels.accessible_by(current_ability, :manage).where(id: channel_ids)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/promotion_actions_controller.rb

@@ -0,0 +1,78 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # CRUD for `Spree::PromotionAction` STI subclasses. Each action is
+        # nested under a promotion; the create body picks the subclass via
+        # `type` and the typed-preferences shape (`preferences: {...}`).
+        class PromotionActionsController < ResourceController
+          include Spree::Api::V3::Admin::SubclassedResource
+
+          scoped_resource :promotions
+
+          subclassed_via -> { Spree.promotions.actions },
+                         unknown_type_error: 'unknown_promotion_action_type'
+
+          def types
+            authorize! :read, model_class
+
+            render json: { data: model_class.subclasses_with_preference_schema }
+          end
+
+          # Returns the calculator subclasses registered for the given action
+          # `type` (e.g. `?type=Spree::Promotion::Actions::CreateAdjustment`).
+          # Each entry includes the calculator's class name, label,
+          # description, and preference schema so the SPA can render the
+          # picker + nested fields without hardcoding the calculator list.
+          def calculators
+            authorize! :read, model_class
+
+            klass = resolve_subclass(params[:type])
+            return render_unknown_type unless klass && klass.respond_to?(:calculators)
+
+            data = klass.calculators.map do |calc|
+              {
+                type: calc.to_s,
+                label: calc.respond_to?(:description) ? calc.description : calc.to_s.demodulize.titleize,
+                preference_schema: calc.respond_to?(:serialized_preference_schema) ? calc.serialized_preference_schema : []
+              }
+            end.sort_by { |entry| entry[:label].to_s }
+
+            render json: { data: data }
+          end
+
+          protected
+
+          def model_class
+            Spree::PromotionAction
+          end
+
+          def serializer_class
+            Spree.api.admin_promotion_action_serializer
+          end
+
+          def permitted_params
+            params.permit(:type, preferences: {})
+          end
+
+          def set_parent
+            return if %w[types calculators].include?(action_name)
+
+            @parent = Spree::Promotion.accessible_by(current_ability, :show)
+                                      .find_by_prefix_id!(params[:promotion_id])
+          end
+
+          def parent_association
+            :promotion_actions
+          end
+
+          private
+
+          def build_subclassed_resource(klass, attrs)
+            klass.new(attrs.merge(promotion: @parent))
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/promotion_rules_controller.rb

@@ -0,0 +1,56 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # CRUD for `Spree::PromotionRule` STI subclasses. Same shape as
+        # PromotionActionsController — only the registry differs
+        # (`Spree.promotions.rules` instead of `Spree.promotions.actions`).
+        class PromotionRulesController < ResourceController
+          include Spree::Api::V3::Admin::SubclassedResource
+
+          scoped_resource :promotions
+
+          subclassed_via -> { Spree.promotions.rules },
+                         unknown_type_error: 'unknown_promotion_rule_type'
+
+          def types
+            authorize! :read, model_class
+
+            render json: { data: model_class.subclasses_with_preference_schema }
+          end
+
+          protected
+
+          def model_class
+            Spree::PromotionRule
+          end
+
+          def serializer_class
+            Spree.api.admin_promotion_rule_serializer
+          end
+
+          def permitted_params
+            params.permit(:type, preferences: {})
+          end
+
+          def set_parent
+            return if action_name == 'types'
+
+            @parent = Spree::Promotion.accessible_by(current_ability, :show)
+                                      .find_by_prefix_id!(params[:promotion_id])
+          end
+
+          def parent_association
+            :promotion_rules
+          end
+
+          private
+
+          def build_subclassed_resource(klass, attrs)
+            klass.new(attrs.merge(promotion: @parent))
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/promotions_controller.rb

@@ -0,0 +1,78 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class PromotionsController < ResourceController
+          scoped_resource :promotions
+
+          protected
+
+          def model_class
+            Spree::Promotion
+          end
+
+          def serializer_class
+            Spree.api.admin_promotion_serializer
+          end
+
+          def collection_includes
+            promotion_includes
+          end
+
+          def scope_includes
+            promotion_includes
+          end
+
+          # A single POST/PATCH /promotions can ship rules and actions
+          # alongside the basics; `Promotion#rules=` / `actions=` reconcile
+          # to the desired set. The nested allowlist below is the union of
+          # every built-in rule/action's expected keys. Plugin-defined
+          # subclasses can add to it — see `additional_permitted_attributes`
+          # below.
+          def permitted_params
+            normalize_params(params.permit(*permitted_attributes))
+          end
+
+          def permitted_attributes
+            [
+              :name, :description, :code, :path,
+              :starts_at, :expires_at, :usage_limit, :match_policy,
+              :kind, :multi_codes, :number_of_codes, :code_prefix,
+              :promotion_category_id,
+              rules: rule_attributes,
+              actions: action_attributes
+            ]
+          end
+
+          def rule_attributes
+            [:id, :type, { preferences: {} }, *subclassed_collection_attributes(Spree.promotions.rules)]
+          end
+
+          def action_attributes
+            [
+              :id, :type,
+              { preferences: {} },
+              { calculator: [:type, { preferences: {} }] },
+              *subclassed_collection_attributes(Spree.promotions.actions)
+            ]
+          end
+
+          # Pulls in plugin-defined permitted attributes from every
+          # registered rule/action subclass. Subclasses declare these via
+          # `additional_permitted_attributes` (e.g. `[product_ids: []]`).
+          def subclassed_collection_attributes(registry)
+            registry.flat_map do |klass|
+              klass.respond_to?(:additional_permitted_attributes) ? klass.additional_permitted_attributes : []
+            end.uniq
+          end
+
+          private
+
+          def promotion_includes
+            [:stores, :promotion_actions, :promotion_rules]
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/resource_controller.rb

@@ -2,24 +2,42 @@ module Spree
   module Api
     module V3
       module Admin
+        # Mirrors Admin::BaseController's concerns. Both classes anchor parallel
+        # inheritance branches (V3::BaseController vs V3::ResourceController);
+        # any concern added here MUST also be added to Admin::BaseController.
         class ResourceController < Spree::Api::V3::ResourceController
-          # Require secret API key for all Admin API requests
-          before_action :authenticate_secret_key!
-
-          # Admin API responses must never be cached
-          after_action :set_no_store_cache
+          include Spree::Api::V3::AdminAuthentication
+          include Spree::Api::V3::ScopedAuthorization
 
           protected
 
-          # Override JWT audience to require admin tokens
-          def expected_audience
-            JWT_AUDIENCE_ADMIN
+          def authenticate_request!
+            authenticate_admin!
           end
 
-          private
+          # Render error from ServiceModule::Result, extracting ActiveModel::Errors
+          # from the ResultError wrapper to get proper validation_error responses.
+          def render_result_error(result)
+            error = result.error
+            errors = error.respond_to?(:value) ? error.value : error
+
+            if errors.is_a?(ActiveModel::Errors)
+              render_validation_error(errors)
+            else
+              render_service_error(error)
+            end
+          end
+
+          def decode_ids(ids, klass)
+            Array(ids).map do |id|
+              Spree::PrefixedId.prefixed_id?(id) ? klass.find_by_param!(id).id : id
+            end
+          end
 
-          def set_no_store_cache
-            response.headers['Cache-Control'] = 'private, no-store'
+          def decode_prefixed_ids(ids)
+            Array(ids).map do |id|
+              Spree::PrefixedId.prefixed_id?(id) ? Spree::PrefixedId.decode_prefixed_id(id) : id
+            end
           end
         end
       end

data/app/controllers/spree/api/v3/admin/roles_controller.rb

@@ -0,0 +1,29 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Read-only list of roles available for staff role pickers (invite +
+        # edit forms). Roles are global, not per-store; CRUD is handled
+        # outside the SPA today and may grow into a richer permissions UI
+        # later. The controller ignores `current_store` for that reason.
+        class RolesController < ResourceController
+          scoped_resource :settings
+
+          protected
+
+          def model_class
+            Spree::Role
+          end
+
+          def serializer_class
+            Spree.api.admin_role_serializer
+          end
+
+          def scope
+            Spree::Role.accessible_by(current_ability, :show)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_items_controller.rb

@@ -0,0 +1,35 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        # Stock items are auto-created when a variant lands at a stock
+        # location, so there's deliberately no `create` route — use the
+        # variants / stock-locations endpoints for that flow.
+        class StockItemsController < ResourceController
+          scoped_resource :stock
+
+          protected
+
+          def model_class
+            Spree::StockItem
+          end
+
+          def serializer_class
+            Spree.api.admin_stock_item_serializer
+          end
+
+          def collection_includes
+            [:stock_location, :variant]
+          end
+
+          # `StockItem.for_store` already applies its own `distinct`, and
+          # `id`-asc gives a stable order across edits (variant.position
+          # alone isn't unique — see git blame for the row-jumping bug).
+          def apply_collection_sort(collection)
+            collection.order(Spree::StockItem.arel_table[:id].asc)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_locations_controller.rb

@@ -0,0 +1,36 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StockLocationsController < ResourceController
+          scoped_resource :stock
+
+          protected
+
+          def model_class
+            Spree::StockLocation
+          end
+
+          def serializer_class
+            Spree.api.admin_stock_location_serializer
+          end
+
+          def scope
+            super.order_default
+          end
+
+          def permitted_params
+            params.permit(
+              :name, :admin_name, :active, :default,
+              :kind, :propagate_all_variants, :backorderable_default,
+              :address1, :address2, :city, :zipcode, :phone, :company,
+              :country_iso, :state_abbr, :state_name,
+              :pickup_enabled, :pickup_stock_policy,
+              :pickup_ready_in_minutes, :pickup_instructions
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v3/admin/stock_reservations_controller.rb

@@ -0,0 +1,29 @@
+module Spree
+  module Api
+    module V3
+      module Admin
+        class StockReservationsController < ResourceController
+          scoped_resource :stock
+
+          protected
+
+          def model_class
+            Spree::StockReservation
+          end
+
+          def serializer_class
+            Spree.api.admin_stock_reservation_serializer
+          end
+
+          def scope
+            Spree::StockReservation.for_store(current_store).accessible_by(current_ability, ability_action_for_request)
+          end
+
+          def collection_includes
+            [{ stock_item: [:variant, :stock_location], line_item: [], order: [] }]
+          end
+        end
+      end
+    end
+  end
+end