RubyGems - spree_api - Versions diffs - 1.1.3 → 1.1.4 - Mend

spree_api 1.1.3 → 1.1.4

Files changed (11) hide show

data/app/controllers/spree/api/v1/addresses_controller.rb CHANGED Viewed

@@ -4,10 +4,12 @@ module Spree
       class AddressesController < Spree::Api::V1::BaseController
         def show
           @address = Address.find(params[:id])
+          authorize! :read, @address
         end
         def update
           @address = Address.find(params[:id])
+          authorize! :read, @address
           @address.update_attributes(params[:address])
           render :show, :status => 200
         end

data/app/controllers/spree/api/v1/base_controller.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module Spree
         attr_accessor :current_api_user
+        before_filter :set_content_type
         before_filter :check_for_api_key
         before_filter :authenticate_user
@@ -25,6 +26,16 @@ module Spree
         private
+        def set_content_type
+          content_type = case params[:format]
+          when "json"
+            "application/json"
+          when "xml"
+            "text/xml"
+          end
+          headers["Content-Type"] = content_type
+        end
         def check_for_api_key
           render "spree/api/v1/errors/must_specify_api_key", :status => 401 and return if api_key.blank?
         end

data/app/controllers/spree/api/v1/images_controller.rb CHANGED Viewed

@@ -7,17 +7,20 @@ module Spree
         end
         def create
+          authorize! :create, Image
           @image = Image.create(params[:image])
           render :show, :status => 201
         end
         def update
+          authorize! :update, Image
           @image = Image.find(params[:id])
           @image.update_attributes(params[:image])
           render :show, :status => 200
         end
         def destroy
+          authorize! :delete, Image
           @image = Image.find(params[:id])
           @image.destroy
           render :text => nil

data/app/controllers/spree/api/v1/shipments_controller.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module Spree
         before_filter :find_and_update_shipment, :only => [:ship, :ready]
         def ready
+          authorize! :read, Shipment
           unless @shipment.ready?
             @shipment.ready!
           end
@@ -13,6 +14,7 @@ module Spree
         end
         def ship
+          authorize! :read, Shipment
           unless @shipment.shipped?
             @shipment.ship!
           end
@@ -23,6 +25,7 @@ module Spree
         def find_order
           @order = Spree::Order.find_by_number!(params[:order_id])
+          authorize! :read, @order
         end
         def find_and_update_shipment

data/app/views/spree/api/v1/orders/show.rabl CHANGED Viewed

@@ -1,6 +1,9 @@
 object @order
 attributes *order_attributes
-extends "spree/api/v1/orders/#{@order.state}"
+if lookup_context.find_all("spree/api/v1/orders/#{@order.state}").present?
+  extends "spree/api/v1/orders/#{@order.state}"
+end
 child :billing_address => :bill_address do
   extends "spree/api/v1/addresses/show"

data/spec/controllers/spree/api/v1/addresses_controller_spec.rb CHANGED Viewed

@@ -9,15 +9,37 @@ module Spree
       @address = create(:address)
     end
-    it "gets an address" do
-      api_get :show, :id => @address.id
-      json_response['address']['address1'].should eq @address.address1
+    context "with their own address" do
+      before do
+        Address.any_instance.stub :user => current_api_user
+      end
+      it "gets an address" do
+        api_get :show, :id => @address.id
+        json_response['address']['address1'].should eq @address.address1
+      end
+      it "updates an address" do
+        api_put :update, :id => @address.id,
+                         :address => { :address1 => "123 Test Lane" }
+        json_response['address']['address1'].should eq '123 Test Lane'
+      end
     end
-    it "updates an address" do
-      api_put :update, :id => @address.id,
-                       :address => { :address1 => "123 Test Lane" }
-      json_response['address']['address1'].should eq '123 Test Lane'
+    context "on somebody else's address" do
+      before do
+        Address.any_instance.stub :user => stub_model(Spree::User)
+      end
+      it "cannot retreive address information" do
+        api_get :show, :id => @address.id
+        assert_unauthorized!
+      end
+      it "cannot update address information" do
+        api_get :update, :id => @address.id
+        assert_unauthorized!
+      end
     end
   end
 end

data/spec/controllers/spree/api/v1/images_controller_spec.rb CHANGED Viewed

@@ -13,43 +13,53 @@ module Spree
       stub_authentication!
     end
-    it "can upload a new image for a product" do
-      lambda do
-        api_post :create,
-                 :image => { :attachment => upload_image("thinking-cat.jpg"),
-                             :viewable_type => 'Spree::Product',
-                             :viewable_id => product.id  }
-        response.status.should == 201
-        json_response.should have_attributes(attributes)
-      end.should change(Image, :count).by(1)
-    end
+    context "as an admin" do
+      sign_in_as_admin!
+      it "can upload a new image for a variant" do
+        lambda do
+          api_post :create,
+                   :image => { :attachment => upload_image('thinking-cat.jpg'),
+                               :viewable_type => 'Spree::Variant',
+                               :viewable_id => product.master.to_param  }
+          response.status.should == 201
+          json_response.should have_attributes(attributes)
+        end.should change(Image, :count).by(1)
+      end
+      context "working with an existing image" do
+        let!(:product_image) { product.master.images.create!(:attachment => image('thinking-cat.jpg')) }
-    it "can upload a new image for a variant" do
-      lambda do
-        api_post :create,
-                 :image => { :attachment => upload_image("thinking-cat.jpg"),
-                             :viewable_type => 'Spree::Variant',
-                             :viewable_id => product.master.to_param  }
-        response.status.should == 201
-        json_response.should have_attributes(attributes)
-      end.should change(Image, :count).by(1)
+        it "can update image data" do
+          product_image.position.should == 1
+          api_post :update, :image => { :position => 2 }, :id => product_image.id
+          response.status.should == 200
+          json_response.should have_attributes(attributes)
+          product_image.reload.position.should == 2
+        end
+        it "can delete an image" do
+          api_delete :destroy, :id => product_image.id
+          response.status.should == 200
+          lambda { product_image.reload }.should raise_error(ActiveRecord::RecordNotFound)
+        end
+      end
     end
-    context "working with an existing image" do
-      let!(:product_image) { product.master.images.create!(:attachment => image("thinking-cat.jpg")) }
+    context "as a non-admin" do
+      it "cannot create an image" do
+        api_post :create
+        assert_unauthorized!
+      end
-      it "can update image data" do
-        product_image.position.should == 1
-        api_post :update, :image => { :position => 2 }, :id => product_image.id
-        response.status.should == 200
-        json_response.should have_attributes(attributes)
-        product_image.reload.position.should == 2
+      it "cannot update an image" do
+        api_put :update, :id => 1
+        assert_unauthorized!
       end
-      it "can delete an image" do
-        api_delete :destroy, :id => product_image.id
-        response.status.should == 200
-        lambda { product_image.reload }.should raise_error(ActiveRecord::RecordNotFound)
+      it "cannot delete an image" do
+        api_delete :destroy, :id => 1
+        assert_unauthorized!
       end
     end
   end

data/spec/controllers/spree/api/v1/orders_controller_spec.rb CHANGED Viewed

@@ -28,6 +28,13 @@ module Spree
       json_response.should have_attributes(attributes)
     end
+    # Regression test for #1992
+    it "can view an order not in a standard state" do
+      Order.any_instance.stub :user => current_api_user
+      order.update_column(:state, 'shipped')
+      api_get :show, :id => order.to_param
+    end
     it "can not view someone else's order" do
       Order.any_instance.stub :user => stub_model(User)
       api_get :show, :id => order.to_param

data/spec/controllers/spree/api/v1/shipments_controller_spec.rb CHANGED Viewed

@@ -9,8 +9,22 @@ describe Spree::Api::V1::ShipmentsController do
     stub_authentication!
   end
-  context "working with a shipment" do
-    let!(:resource_scoping) { { :order_id => shipment.order.to_param, :id => shipment.to_param } }
+  let!(:resource_scoping) { { :order_id => shipment.order.to_param, :id => shipment.to_param } }
+  context "as a non-admin" do
+    it "cannot make a shipment ready" do
+      api_put :ready
+      assert_unauthorized!
+    end
+    it "cannot make a shipment shipped" do
+      api_put :ship
+      assert_unauthorized!
+    end
+  end
+  context "as an admin" do
+    sign_in_as_admin!
     it "can make a shipment ready" do
       api_put :ready

data/spec/controllers/spree/api/v1/taxons_controller_spec.rb CHANGED Viewed

@@ -4,9 +4,9 @@ module Spree
   describe Api::V1::TaxonsController do
     render_views
-    let(:taxonomy) { Factory(:taxonomy) }
-    let(:taxon) { Factory(:taxon, :name => "Ruby", :taxonomy => taxonomy) }
-    let(:taxon2) { Factory(:taxon, :name => "Rails", :taxonomy => taxonomy) }
+    let(:taxonomy) { create(:taxonomy) }
+    let(:taxon) { create(:taxon, :name => "Ruby", :taxonomy => taxonomy) }
+    let(:taxon2) { create(:taxon, :name => "Rails", :taxonomy => taxonomy) }
     let(:attributes) { ["id", "name", "permalink", "position", "parent_id", "taxonomy_id"] }
     before do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 1.1.3
+  version: 1.1.4
   prerelease:
 platform: ruby
 authors:
@@ -9,33 +9,33 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-07-27 00:00:00.000000000Z
+date: 2012-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: spree_core
-  requirement: &70233810562560 !ruby/object:Gem::Requirement
+  requirement: &70343664878740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70233810562560
+  version_requirements: *70343664878740
 - !ruby/object:Gem::Dependency
   name: spree_auth
-  requirement: &70233810547020 !ruby/object:Gem::Requirement
+  requirement: &70343664878060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 1.1.4
   type: :runtime
   prerelease: false
-  version_requirements: *70233810547020
+  version_requirements: *70343664878060
 - !ruby/object:Gem::Dependency
   name: rabl
-  requirement: &70233810543540 !ruby/object:Gem::Requirement
+  requirement: &70343664877300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
@@ -43,10 +43,10 @@ dependencies:
         version: 0.6.5
   type: :runtime
   prerelease: false
-  version_requirements: *70233810543540
+  version_requirements: *70343664877300
 - !ruby/object:Gem::Dependency
   name: rspec-rails
-  requirement: &70233810540440 !ruby/object:Gem::Requirement
+  requirement: &70343664876420 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
@@ -54,10 +54,10 @@ dependencies:
         version: 2.9.0
   type: :development
   prerelease: false
-  version_requirements: *70233810540440
+  version_requirements: *70343664876420
 - !ruby/object:Gem::Dependency
   name: database_cleaner
-  requirement: &70233810539000 !ruby/object:Gem::Requirement
+  requirement: &70343664875940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,7 +65,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70233810539000
+  version_requirements: *70343664875940
 description: Spree's API
 email:
 - ryan@spreecommerce.com
@@ -192,7 +192,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1403657834469964020
+      hash: 1679059812271794179
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -201,7 +201,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1403657834469964020
+      hash: 1679059812271794179
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.10