spree_api 2.0.3 → 2.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 99004d692b431aa93374f77fcafbbe18215d6f33
-  data.tar.gz: 9fd49a4a1cb42b2389037efb43c67aed741b4806
+  metadata.gz: 9f5519b716277f189e3ca709d60342a6644f63e6
+  data.tar.gz: 5d8d83310106f05dee2dd8ed5a0f01aa66d1f6f1
 SHA512:
-  metadata.gz: 2a920e5e0749c037063856d55ed8b4ba6d6290f5b9cada53f6195e965beda88f3878ae726c6a0531c0b43df31387c3a4b54c0def0d6ac02ceaa2ea4282e7e22b
-  data.tar.gz: 400dba6876823fc0607b71ac643fc759760896d2a3f430570e133c101f5a867e4cf7eebc0b0e4a4af1bac7fadce7902b443e4ed13d21fdb067e3bf521f03891a
+  metadata.gz: 5f850cf66f2e7a8bd57940b7961f1e740be4a0d0aeabe87ffe5e45f0a3641c7a7c81ffa72301517b5ca07ac5761a3071cb09dabbe69652593656ad382a487367
+  data.tar.gz: 03ac9cf7f05c894ebab107a30c6f0d6613835e8c55a2407e4b62f30e2b257fbdcf38cd97842f72a8a10f9032068e252f4c10f8e1b024e852036acdc82621eefa

data/CHANGELOG.md

@@ -1,3 +1,31 @@
-## Spree 2.0.1 (unreleased) ##
+## Spree 2.0.5 (unreleased)
 
-* No changes.
+## Spree 2.0.4
+
+* PUT requests to Checkouts API endpoints now require authorization to alter an order.
+
+    *Ryan Bigg*
+
+* The Products API endpoint now returns an additional key called `shipping_category_id`, and also requires `shipping_category_id` on create.
+
+    *Jeff Dutil*
+
+* Checkouts API's update action will now correctly process line item attributes (either `line_items` or `line_item_attributes`)
+
+    * Ryan Bigg*
+
+* Checkouts API now correctly processes incoming payment data during the payment step.
+
+    *Ryan Bigg*
+
+* Fix issue where `set_current_order` before filter would be called when CheckoutsController actions were run, causing the order object to be deleted. #3306
+
+    *Ryan Bigg*
+
+* An order can no longer transition past the "cart" state without first having a line item. #3312
+
+    *Ryan Bigg*
+
+* Attributes other than "quantity" and "variant_id" will be added to a line item when creating along with an order. #3404
+
+    *Alex Marles & Ryan Bigg* 

data/app/controllers/spree/api/base_controller.rb

@@ -118,8 +118,8 @@ module Spree
       def product_scope
         if current_api_user.has_spree_role?("admin")
           scope = Product
-          unless params[:show_deleted]
-            scope = scope.not_deleted
+          if params[:show_deleted]
+            scope = scope.with_deleted
           end
         else
           scope = Product.active

data/app/controllers/spree/api/checkouts_controller.rb

@@ -6,6 +6,8 @@ module Spree
 
       include Spree::Core::ControllerHelpers::Auth
       include Spree::Core::ControllerHelpers::Order
+      # This before_filter comes from Spree::Core::ControllerHelpers::Order
+      skip_before_filter :set_current_order
 
       respond_to :json
 
@@ -15,8 +17,12 @@ module Spree
       end
 
       def update
-        user_id = object_params.delete(:user_id)
-        if @order.update_attributes(object_params)
+        authorize! :update, @order, params[:order_token]
+        order_params = object_params
+        user_id = order_params.delete(:user_id)
+        line_items = order_params.delete("line_items_attributes")
+        if @order.update_attributes(order_params)
+          @order.update_line_items(line_items)
           # TODO: Replace with better code when we switch to strong_parameters
           # Also remove above user_id stripping
           if current_api_user.has_spree_role?("admin") && user_id.present?
@@ -32,6 +38,7 @@ module Spree
 
       def next
         @order.next!
+        authorize! :update, @order, params[:order_token]
         respond_with(@order, :default_template => 'spree/api/orders/show', :status => 200)
         rescue StateMachine::InvalidTransition
           respond_with(@order, :default_template => 'spree/api/orders/could_not_transition', :status => 422)
@@ -42,15 +49,16 @@ module Spree
         def object_params
           # For payment step, filter order parameters to produce the expected nested attributes for a single payment and its source, discarding attributes for payment methods other than the one selected
           # respond_to check is necessary due to issue described in #2910
+          object_params = nested_params
           if @order.has_checkout_step?("payment") && @order.payment?
-            if params[:payment_source].present? && source_params = params.delete(:payment_source)[params[:order][:payments_attributes].first[:payment_method_id].underscore]
-              params[:order][:payments_attributes].first[:source_attributes] = source_params
+            if object_params[:payment_source].present? && source_params = object_params.delete(:payment_source)[object_params[:payments_attributes].first[:payment_method_id].underscore]
+              object_params[:payments_attributes].first[:source_attributes] = source_params
             end
-            if params[:order].present? && params[:order][:payments_attributes]
-              params[:order][:payments_attributes].first[:amount] = @order.total
+            if object_params.present? && object_params[:payments_attributes]
+              object_params[:payments_attributes].first[:amount] = @order.total
             end
           end
-          params[:order] || {}
+          object_params
         end
 
         def nested_params
@@ -65,6 +73,7 @@ module Spree
 
         def load_order
           @order = Spree::Order.find_by_number!(params[:id])
+          authorize! :read, @order, params[:order_token]
           raise_insufficient_quantity and return if @order.insufficient_stock_lines.present?
           @order.state = params[:state] if params[:state]
           state_callback(:before)
@@ -92,11 +101,6 @@ module Spree
           @order.ship_address ||= Address.default
         end
 
-        def before_delivery
-          return if params[:order].present?
-          @order.create_proposed_shipments
-        end
-
         def before_payment
           @order.payments.destroy_all if request.put?
         end

data/app/controllers/spree/api/products_controller.rb

@@ -27,10 +27,15 @@ module Spree
         authorize! :create, Product
         params[:product][:available_on] ||= Time.now
         @product = Product.new(params[:product])
-        if @product.save
-          respond_with(@product, :status => 201, :default_template => :show)
-        else
-          invalid_resource!(@product)
+        begin
+          if @product.save
+            respond_with(@product, :status => 201, :default_template => :show)
+          else
+            invalid_resource!(@product)
+          end
+        rescue ActiveRecord::RecordNotUnique
+          @product.permalink = nil
+          retry
         end
       end
 

data/app/controllers/spree/api/return_authorizations_controller.rb

@@ -41,6 +41,34 @@ module Spree
         respond_with(@return_authorization, :status => 204)
       end
 
+      def add
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
+        @return_authorization.add_variant params[:variant_id].to_i, params[:quantity].to_i
+        if @return_authorization.valid?
+          respond_with @return_authorization, default_template: :show
+        else
+          invalid_resource!(@return_authorization)
+        end
+      end
+
+      def receive
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
+        if @return_authorization.receive
+          respond_with @return_authorization, default_template: :show
+        else
+          invalid_resource!(@return_authorization)
+        end
+      end
+
+      def cancel
+        @return_authorization = order.return_authorizations.accessible_by(current_ability, :update).find(params[:id])
+        if @return_authorization.cancel
+          respond_with @return_authorization, default_template: :show
+        else
+          invalid_resource!(@return_authorization)
+        end
+      end
+
       private
 
       def order

data/app/controllers/spree/api/shipments_controller.rb

@@ -21,7 +21,7 @@ module Spree
       def update
         authorize! :read, Shipment
         @shipment = @order.shipments.find_by_number!(params[:id])
-
+        params[:shipment] ||= []
         unlock = params[:shipment].delete(:unlock)
 
         if unlock == 'yes'

data/app/controllers/spree/api/variants_controller.rb

@@ -56,7 +56,7 @@ module Spree
             unless current_api_user.has_spree_role?("admin") || params[:show_deleted]
               variants = @product.variants_including_master
             else
-              variants = @product.variants_including_master_and_deleted
+              variants = @product.variants_including_master.with_deleted
             end
           else
             variants = Variant.scoped

data/app/helpers/spree/api/api_helpers.rb

@@ -12,7 +12,7 @@ module Spree
       end
 
       def product_attributes
-        [:id, :name, :description, :price, :available_on, :permalink, :meta_description, :meta_keywords, :taxon_ids]
+        [:id, :name, :description, :price, :available_on, :permalink, :meta_description, :meta_keywords, :shipping_category_id, :taxon_ids]
       end
 
       def product_property_attributes
@@ -32,7 +32,7 @@ module Spree
       end
 
       def order_attributes
-        [:id, :number, :item_total, :total, :state, :adjustment_total, :user_id, :created_at, :updated_at, :completed_at, :payment_total, :shipment_state, :payment_state, :email, :special_instructions]
+        [:id, :number, :item_total, :total, :state, :adjustment_total, :user_id, :created_at, :updated_at, :completed_at, :payment_total, :shipment_state, :payment_state, :email, :special_instructions, :token]
       end
 
       def line_item_attributes

data/app/models/spree/order_decorator.rb

@@ -1,13 +1,26 @@
 Spree::Order.class_eval do
   def self.build_from_api(user, params)
-    order = create
-    params[:line_items_attributes] ||= []
-    unless params[:line_items_attributes].empty?
-      params[:line_items_attributes].each_key do |k|
-        order.contents.add(Spree::Variant.find(params[:line_items_attributes][k][:variant_id]), params[:line_items_attributes][k][:quantity])
+    line_items = params.delete(:line_items_attributes) || []
+
+    order = create(params)
+    order.associate_user!(user)
+
+    unless line_items.empty?
+      line_items.each_key do |k|
+        line_item = line_items[k]
+        extra_params = line_item.except(:variant_id, :quantity)
+        line_item = order.contents.add(Spree::Variant.find(line_item[:variant_id]), line_item[:quantity])
+        line_item.update_attributes(extra_params) unless extra_params.empty?
       end
     end
 
     order
   end
+
+  def update_line_items(line_item_params)
+    return if line_item_params.blank?
+    line_item_params.each do |id, attributes|
+      self.line_items.find(id).update_attributes!(attributes)
+    end
+  end
 end

data/app/views/spree/admin/users/_api_fields.html.erb

@@ -12,11 +12,11 @@
       <% end %>
 
       <span class="or"><%= Spree.t(:or)%></span>
-    
+
       <%= form_tag spree.generate_api_key_admin_user_path(@user), :method => :put do %>
         <%= button Spree.t('regenerate_key', :scope => 'api'), 'icon-refresh' %>
-      <% end %>      
-    </div>    
+      <% end %>
+    </div>
 
   <% else %>
 
@@ -26,6 +26,6 @@
       <%= form_tag spree.generate_api_key_admin_user_path(@user), :method => :put do %>
         <%= button Spree.t('generate_key', :scope => 'api'), 'icon-key' %>
       <% end %>
-    </div>    
+    </div>
   <% end %>
 </fieldset>

data/app/views/spree/api/variants/variant.v1.rabl

@@ -1 +1,5 @@
 attributes *variant_attributes
+node(:options_text) { |v| v.options_text }
+child :option_values => :option_values do
+  attributes *option_value_attributes
+end

data/config/routes.rb

@@ -21,18 +21,21 @@ Spree::Core::Engine.routes.draw do
       end
     end
 
-    resources :variants, :only => [:index] do
-    end
+    resources :variants, :only => [:index]
 
     resources :option_types do
       resources :option_values
     end
 
     resources :orders do
-      resources :return_authorizations
+      resources :return_authorizations do
+        member do
+          put :add
+          put :cancel
+          put :receive
+        end
+      end
       member do
-        put :address
-        put :delivery
         put :cancel
         put :empty
       end

data/lib/spree/api/testing_support/setup.rb

@@ -5,23 +5,10 @@ module Spree
         def sign_in_as_admin!
           let!(:current_api_user) do
             user = stub_model(Spree::LegacyUser)
-            user.should_receive(:has_spree_role?).any_number_of_times.with("admin").and_return(true)
+            user.stub(:has_spree_role?).with("admin").and_return(true)
             user
           end
         end
-
-        # Default kaminari's pagination to a certain range
-        # Means that you don't need to create 25 objects to test pagination
-        def default_per_page(count)
-          before do
-            @current_default_per_page = Kaminari.config.default_per_page
-            Kaminari.config.default_per_page = 1
-          end
-
-          after do
-            Kaminari.config.default_per_page = @current_default_per_page
-          end
-        end
       end
     end
   end

data/spec/controllers/spree/api/base_controller_spec.rb

@@ -10,7 +10,7 @@ describe Spree::Api::BaseController do
 
   context "signed in as a user using an authentication extension" do
     before do
-      controller.stub :try_spree_current_user => stub(:email => "spree@example.com")
+      controller.stub :try_spree_current_user => double(:email => "spree@example.com")
       Spree::Api::Config[:requires_authentication] = true
     end
 
@@ -49,7 +49,7 @@ describe Spree::Api::BaseController do
   end
 
   it "maps symantec keys to nested_attributes keys" do
-    klass = stub(:nested_attributes_options => { :line_items => {},
+    klass = double(:nested_attributes_options => { :line_items => {},
                                                   :bill_address => {} })
     attributes = { 'line_items' => { :id => 1 },
                    'bill_address' => { :id => 2 },

data/spec/controllers/spree/api/checkouts_controller_spec.rb

@@ -15,7 +15,7 @@ module Spree
       create(:stock_location)
 
       @shipping_method = create(:shipping_method, :zones => [country_zone])
-      @payment_method = create(:payment_method)
+      @payment_method = create(:bogus_payment_method)
     end
 
     after do
@@ -29,20 +29,6 @@ module Spree
         json_response['number'].should be_present
         response.status.should == 201
       end
-
-      it "should not have a user by default" do
-        api_post :create
-
-        json_response['user_id'].should_not be_present
-        response.status.should == 201
-      end
-
-      it "should not have an email by default" do
-        api_post :create
-
-        json_response['email'].should_not be_present
-        response.status.should == 201
-      end
     end
 
     context "PUT 'update'" do
@@ -53,26 +39,49 @@ module Spree
         Order.any_instance.stub(:payment_required? => true)
       end
 
+      it "cannot update without a token" do
+        api_put :update, :id => order.to_param
+        assert_unauthorized!
+      end
+
       it "will return an error if the recently created order cannot transition from cart to address" do
         order.state.should eq "cart"
         order.update_column(:email, nil) # email is necessary to transition from cart to address
 
-        api_put :update, :id => order.to_param
+        api_put :update, :id => order.to_param, :order_token => order.token
 
         # Order has not transitioned
         json_response['state'].should == 'cart'
       end
 
-      it "should transition a recently created order from cart do address" do
+      it "should transition a recently created order from cart to address" do
         order.state.should eq "cart"
         order.email.should_not be_nil
-        api_put :update, :id => order.to_param
+        api_put :update, :id => order.to_param, :order_token => order.token
+        order.reload.state.should eq "address"
+      end
+
+      it "can take line_items_attributes as a parameter" do
+        line_item = order.line_items.first
+        api_put :update, :id => order.to_param, :order_token => order.token,
+                         :order => { :line_items_attributes => { line_item.id => { :quantity => 1 } } }
+        response.status.should == 200
+        order.reload.state.should eq "address"
+      end
+
+      it "can take line_items as a parameter" do
+        line_item = order.line_items.first
+        api_put :update, :id => order.to_param, :order_token => order.token,
+                         :order => { :line_items => { line_item.id => { :quantity => 1 } } }
+        response.status.should == 200
         order.reload.state.should eq "address"
       end
 
       it "will return an error if the order cannot transition" do
+        order.bill_address = nil
+        order.save
         order.update_column(:state, "address")
-        api_put :update, :id => order.to_param
+        api_put :update, :id => order.to_param, :order_token => order.token
         response.status.should == 422
       end
 
@@ -89,7 +98,7 @@ module Spree
           :country_id => @country.id
         }
         api_put :update,
-                :id => order.to_param,
+                :id => order.to_param, :order_token => order.token,
                 :order => { :bill_address_attributes => billing_address, :ship_address_attributes => shipping_address }
         json_response['state'].should == 'delivery'
         json_response['bill_address']['firstname'].should == 'John'
@@ -101,7 +110,7 @@ module Spree
         order.update_column(:state, "delivery")
         shipment = create(:shipment, :order => order)
         shipping_rate = shipment.shipping_rates.first
-        api_put :update, :id => order.to_param, :order => { :shipments_attributes => { "0" => { :selected_shipping_rate_id => shipping_rate.id, :id => shipment.id } } }
+        api_put :update, :id => order.to_param, :order_token => order.token, :order => { :shipments_attributes => { "0" => { :selected_shipping_rate_id => shipping_rate.id, :id => shipment.id } } }
         json_response['shipments'][0]['shipping_method']['name'].should == @shipping_method.name
         json_response['state'].should == 'payment'
         response.status.should == 200
@@ -109,23 +118,53 @@ module Spree
 
       it "can update payment method and transition from payment to confirm" do
         order.update_column(:state, "payment")
-        api_put :update, :id => order.to_param, :order => { :payments_attributes => [{ :payment_method_id => @payment_method.id }] }
+        api_put :update, :id => order.to_param, :order_token => order.token, :order => { :payments_attributes => [{ :payment_method_id => @payment_method.id }] }
         json_response['state'].should == 'confirm'
         json_response['payments'][0]['payment_method']['name'].should == @payment_method.name
         response.status.should == 200
       end
 
+      it "can update payment method with source and transition from payment to confirm" do
+        order.update_column(:state, "payment")
+        source_attributes = {
+          "number" => "4111111111111111",
+          "month" => 1.month.from_now.month,
+          "year" => 1.month.from_now.year,
+          "verification_value" => "123"
+        }
+
+        api_put :update, :id => order.to_param, :order_token => order.token,
+          :order => { :payments_attributes => [{ :payment_method_id => @payment_method.id.to_s }],
+                      :payment_source => { @payment_method.id.to_s => source_attributes } }
+        json_response['payments'][0]['payment_method']['name'].should == @payment_method.name
+        json_response['payments'][0]['amount'].should == order.total.to_s
+        response.status.should == 200
+      end
+
+      it "returns errors when source is missing attributes" do
+        order.update_column(:state, "payment")
+        api_put :update, :id => order.to_param, :order_token => order.token,
+          :order => { :payments_attributes => [{ :payment_method_id => @payment_method.id.to_s }],
+                      :payment_source => { @payment_method.id.to_s => { } } }
+        response.status.should == 422
+        cc_errors = json_response['errors']['payments.Credit Card']
+        cc_errors.should include("Number can't be blank")
+        cc_errors.should include("Month is not a number")
+        cc_errors.should include("Year is not a number")
+        cc_errors.should include("Verification Value can't be blank")
+      end
+
       it "can transition from confirm to complete" do
         order.update_column(:state, "confirm")
         Spree::Order.any_instance.stub(:payment_required? => false)
-        api_put :update, :id => order.to_param
+        api_put :update, :id => order.to_param, :order_token => order.token
         json_response['state'].should == 'complete'
         response.status.should == 200
       end
 
       it "returns the order if the order is already complete" do
         order.update_column(:state, "complete")
-        api_put :update, :id => order.to_param
+        api_put :update, :id => order.to_param, :order_token => order.token
         json_response['number'].should == order.number
         response.status.should == 200
       end
@@ -142,7 +181,7 @@ module Spree
       end
 
       it "can assign an email to the order" do
-        api_put :update, :id => order.to_param, :order => { :email => "guest@spreecommerce.com" }
+        api_put :update, :id => order.to_param, :order => { :email => "guest@spreecommerce.com" }, :order_token => order.token
         json_response['email'].should == "guest@spreecommerce.com"
         response.status.should == 200
       end
@@ -151,16 +190,32 @@ module Spree
         order.update_column(:state, "payment")
         Spree::Promo::CouponApplicator.should_receive(:new).with(order).and_call_original
         Spree::Promo::CouponApplicator.any_instance.should_receive(:apply).and_return({:coupon_applied? => true})
-        api_put :update, :id => order.to_param, :order => { :coupon_code => "foobar" }
+        api_put :update, :id => order.to_param, :order => { :coupon_code => "foobar" }, :order_token => order.token
+      end
+
+      it "can apply a coupon code to an order" do
+        order.update_column(:state, "payment")
+        Spree::Promo::CouponApplicator.should_receive(:new).with(order).and_call_original
+        coupon_result = { :coupon_applied? => true }
+        Spree::Promo::CouponApplicator.any_instance.should_receive(:apply).and_return(coupon_result)
+        api_put :update, :id => order.to_param, :order_token => order.token, :order => { :coupon_code => "foobar" }
       end
     end
 
     context "PUT 'next'" do
-      let!(:order) { create(:order) }
+      let!(:order) { create(:order_with_line_items) }
+      it "cannot transition to address without a line item" do
+        order.line_items.delete_all
+        order.update_column(:email, "spree@example.com")
+        api_put :next, :id => order.to_param, :order_token => order.token
+        response.status.should == 422
+        json_response["errors"]["base"].should include(Spree.t(:there_are_no_items_for_this_order))
+      end
+
       it "can transition an order to the next state" do
         order.update_column(:email, "spree@example.com")
 
-        api_put :next, :id => order.to_param
+        api_put :next, :id => order.to_param, :order_token => order.token
         response.status.should == 200
         json_response['state'].should == 'address'
       end
@@ -168,17 +223,15 @@ module Spree
       it "cannot transition if order email is blank" do
         order.update_column(:email, nil)
 
-        api_put :next, :id => order.to_param
+        api_put :next, :id => order.to_param, :order_token => order.token
         response.status.should == 422
         json_response['error'].should =~ /could not be transitioned/
       end
 
-      it "can apply a coupon code to an order" do
+      it "returns a sensible error when no payment method is specified" do
         order.update_column(:state, "payment")
-        Spree::Promo::CouponApplicator.should_receive(:new).with(order).and_call_original
-        coupon_result = { :coupon_applied? => true }
-        Spree::Promo::CouponApplicator.any_instance.should_receive(:apply).and_return(coupon_result)
-        api_put :update, :id => order.to_param, :order => { :coupon_code => "foobar" }
+        api_put :next, :id => order.to_param, :order_token => order.token, :order => {}
+        json_response["errors"]["base"].should include(Spree.t(:no_pending_payments))
       end
     end
   end

data/spec/controllers/spree/api/line_items_controller_spec.rb

@@ -65,7 +65,7 @@ module Spree
         line_item = order.line_items.first
         api_delete :destroy, :id => line_item.id
         assert_unauthorized!
-        lambda { line_item.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+        lambda { line_item.reload }.should_not raise_error
       end
     end
 

data/spec/controllers/spree/api/option_types_controller_spec.rb

@@ -69,7 +69,7 @@ module Spree
     it "cannot delete an option type" do
       api_delete :destroy, :id => option_type.id
       assert_unauthorized!
-      lambda { option_type.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+      lambda { option_type.reload }.should_not raise_error
     end
 
     context "as an admin" do

data/spec/controllers/spree/api/option_values_controller_spec.rb

@@ -80,7 +80,7 @@ module Spree
       it "cannot delete an option value" do
         api_delete :destroy, :id => option_type.id
         assert_unauthorized!
-        lambda { option_type.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+        lambda { option_type.reload }.should_not raise_error
       end
 
       context "as an admin" do

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -9,7 +9,7 @@ module Spree
                         :state, :adjustment_total,
                         :user_id, :created_at, :updated_at,
                         :completed_at, :payment_total, :shipment_state,
-                        :payment_state, :email, :special_instructions] }
+                        :payment_state, :email, :special_instructions, :token] }
 
 
     before do
@@ -55,30 +55,88 @@ module Spree
       assert_unauthorized!
     end
 
-    it "can create an order" do
-      variant = create(:variant)
-      api_post :create, :order => { :line_items => { "0" => { :variant_id => variant.to_param, :quantity => 5 } } }
-      response.status.should == 201
-      order = Order.last
-      order.line_items.count.should == 1
-      order.line_items.first.variant.should == variant
-      order.line_items.first.quantity.should == 5
-      json_response["state"].should == "cart"
+    context "create order" do
+      let(:current_api_user) do
+        user = Spree.user_class.new(:email => "spree@example.com")
+        user.generate_spree_api_key!
+        user
+      end
+
+      it "can create an order" do
+        variant = create(:variant)
+        api_post :create, :order => { :line_items => { "0" => { :variant_id => variant.to_param, :quantity => 5 } } }
+        response.status.should == 201
+        order = Order.last
+        order.line_items.count.should == 1
+        order.line_items.first.variant.should == variant
+        order.line_items.first.quantity.should == 5
+        json_response["state"].should == "cart"
+        order.user.should == current_api_user
+        order.email == current_api_user.email
+        json_response["user_id"].should == current_api_user.id
+      end
+
+      # Regression test for #3404
+      it "can specify additional parameters for a line item" do
+        variant = create(:variant)
+        Order.should_receive(:create).and_return(order = Spree::Order.new)
+        order.stub(:associate_user!)
+        order.stub_chain(:contents, :add).and_return(line_item = double('LineItem'))
+        line_item.should_receive(:update_attributes).with("special" => true)
+        api_post :create, :order => { 
+          :line_items => {
+            "0" => {
+              :variant_id => variant.to_param, :quantity => 5, :special => true
+            }
+          }
+        }
+        response.status.should == 201
+      end
+
+      # Regression test for #3404
+      it "does not update line item needlessly" do
+        variant = create(:variant)
+        Order.should_receive(:create).and_return(order = Spree::Order.new)
+        order.stub(:associate_user!)
+        order.stub_chain(:contents, :add).and_return(line_item = double('LineItem'))
+        line_item.should_not_receive(:update_attributes)
+        api_post :create, :order => { 
+          :line_items => {
+            "0" => {
+              :variant_id => variant.to_param, :quantity => 5
+            }
+          }
+        }
+      end
     end
 
     it "can create an order without any parameters" do
-      lambda { api_post :create }.should_not raise_error(NoMethodError)
+      lambda { api_post :create }.should_not raise_error
       response.status.should == 201
       order = Order.last
       json_response["state"].should == "cart"
     end
 
     context "working with an order" do
+
+      let(:variant) { create(:variant) }
+      let!(:line_item) { order.contents.add(variant, 1) }
+      let!(:payment_method) { create(:payment_method) }
+
+      let(:address_params) { { :country_id => Country.first.id, :state_id => State.first.id } }
+      let(:billing_address) { { :firstname => "Tiago", :lastname => "Motta", :address1 => "Av Paulista",
+                                :city => "Sao Paulo", :zipcode => "1234567", :phone => "12345678",
+                                :country_id => Country.first.id, :state_id => State.first.id} }
+      let(:shipping_address) { { :firstname => "Tiago", :lastname => "Motta", :address1 => "Av Paulista",
+                                 :city => "Sao Paulo", :zipcode => "1234567", :phone => "12345678",
+                                 :country_id => Country.first.id, :state_id => State.first.id} }
+
       before do
         Order.any_instance.stub :user => current_api_user
-        create(:payment_method)
         order.next # Switch from cart to address
-        order.ship_address.should be_nil
+        order.bill_address = nil
+        order.ship_address = nil
+        order.save
         order.state.should == "address"
       end
 
@@ -102,18 +160,18 @@ module Spree
 
         response.status.should == 200
         json_response['item_total'].to_f.should_not == order.item_total.to_f
+        json_response['line_items'].count.should == 2
+        json_response['line_items'].first['quantity'].should == 1
+        json_response['line_items'].last['quantity'].should == 2
       end
 
       it "can add billing address" do
-        order.bill_address.should be_nil
-
         api_put :update, :id => order.to_param, :order => { :bill_address_attributes => billing_address }
 
         order.reload.bill_address.should_not be_nil
       end
 
       it "receives error message if trying to add billing address with errors" do
-        order.bill_address.should be_nil
         billing_address[:firstname] = ""
 
         api_put :update, :id => order.to_param, :order => { :bill_address_attributes => billing_address }

data/spec/controllers/spree/api/payments_controller_spec.rb

@@ -102,7 +102,7 @@ module Spree
         end
 
         it "returns a 422 status when authorization fails" do
-          fake_response = stub(:success? => false, :to_s => "Could not authorize card")
+          fake_response = double(:success? => false, :to_s => "Could not authorize card")
           Spree::Gateway::Bogus.any_instance.should_receive(:authorize).and_return(fake_response)
           api_put :authorize, :id => payment.to_param
           response.status.should == 422
@@ -119,7 +119,7 @@ module Spree
         end
 
         it "returns a 422 status when purchasing fails" do
-          fake_response = stub(:success? => false, :to_s => "Insufficient funds")
+          fake_response = double(:success? => false, :to_s => "Insufficient funds")
           Spree::Gateway::Bogus.any_instance.should_receive(:capture).and_return(fake_response)
           api_put :capture, :id => payment.to_param
           response.status.should == 422
@@ -137,7 +137,7 @@ module Spree
         end
 
         it "returns a 422 status when purchasing fails" do
-          fake_response = stub(:success? => false, :to_s => "Insufficient funds")
+          fake_response = double(:success? => false, :to_s => "Insufficient funds")
           Spree::Gateway::Bogus.any_instance.should_receive(:purchase).and_return(fake_response)
           api_put :purchase, :id => payment.to_param
           response.status.should == 422
@@ -155,7 +155,7 @@ module Spree
         end
 
         it "returns a 422 status when voiding fails" do
-          fake_response = stub(:success? => false, :to_s => "NO REFUNDS")
+          fake_response = double(:success? => false, :to_s => "NO REFUNDS")
           Spree::Gateway::Bogus.any_instance.should_receive(:void).and_return(fake_response)
           api_put :void, :id => payment.to_param
           response.status.should == 422
@@ -182,7 +182,7 @@ module Spree
           end
 
           it "returns a 422 status when crediting fails" do
-            fake_response = stub(:success? => false, :to_s => "NO CREDIT FOR YOU")
+            fake_response = double(:success? => false, :to_s => "NO CREDIT FOR YOU")
             Spree::Gateway::Bogus.any_instance.should_receive(:credit).and_return(fake_response)
             api_put :credit, :id => payment.to_param
             response.status.should == 422

data/spec/controllers/spree/api/products_controller_spec.rb

@@ -7,7 +7,7 @@ module Spree
 
     let!(:product) { create(:product) }
     let!(:inactive_product) { create(:product, :available_on => Time.now.tomorrow, :name => "inactive") }
-    let(:attributes) { [:id, :name, :description, :price, :available_on, :permalink, :meta_description, :meta_keywords, :taxon_ids] }
+    let(:attributes) { [:id, :name, :description, :price, :available_on, :permalink, :meta_description, :meta_keywords, :shipping_category_id, :taxon_ids] }
 
     before do
       stub_authentication!
@@ -41,11 +41,9 @@ module Spree
       end
 
       context "pagination" do
-        default_per_page(1)
-
         it "can select the next page of products" do
           second_product = create(:product)
-          api_get :index, :page => 2
+          api_get :index, :page => 2, :per_page => 1
           json_response["products"].first.should have_attributes(attributes)
           json_response["total_count"].should == 2
           json_response["current_page"].should == 2
@@ -136,6 +134,7 @@ module Spree
         required_attributes = json_response["required_attributes"]
         required_attributes.should include("name")
         required_attributes.should include("price")
+        required_attributes.should include("shipping_category_id")
       end
 
       it_behaves_like "modifying product actions are restricted"
@@ -171,7 +170,8 @@ module Spree
 
       it "can create a new product" do
         api_post :create, :product => { :name => "The Other Product",
-                                        :price => 19.99 }
+                                        :price => 19.99,
+                                        :shipping_category_id => create(:shipping_category).id }
         json_response.should have_attributes(attributes)
         response.status.should == 201
       end
@@ -188,7 +188,8 @@ module Spree
 
         it "can still create a product" do
           api_post :create, :product => { :name => "The Other Product",
-                                          :price => 19.99 },
+                                          :price => 19.99,
+                                          :shipping_category_id => create(:shipping_category).id },
                             :token => "fake"
           json_response.should have_attributes(attributes)
           response.status.should == 201
@@ -201,7 +202,7 @@ module Spree
         json_response["error"].should == "Invalid resource. Please fix errors and try again."
         errors = json_response["errors"]
         errors.delete("permalink") # Don't care about this one.
-        errors.keys.should =~ ["name", "price"]
+        errors.keys.should =~ ["name", "price", "shipping_category_id"]
       end
 
       it "can update a product" do

data/spec/controllers/spree/api/return_authorizations_controller_spec.rb

@@ -44,6 +44,21 @@ module Spree
         assert_unauthorized!
       end
 
+      it "cannot add a variant to a return authorization" do
+        api_put :add
+        assert_unauthorized!
+      end
+
+      it "cannot mark a return authorization as received" do
+        api_put :receive
+        assert_unauthorized!
+      end
+
+      it "cannot cancel a return authorization" do
+        api_put :cancel
+        assert_unauthorized!
+      end
+
       it "cannot delete a return authorization" do
         api_delete :destroy
         assert_unauthorized!
@@ -105,6 +120,53 @@ module Spree
         json_response.should have_attributes(attributes)
       end
 
+      it "can add an inventory unit to a return authorization on the order" do
+        FactoryGirl.create(:return_authorization, :order => order)
+        return_authorization = order.return_authorizations.first
+        inventory_unit = return_authorization.returnable_inventory.first
+        inventory_unit.should be
+        return_authorization.inventory_units.should be_empty
+        api_put :add, :id => return_authorization.id, variant_id: inventory_unit.variant.id, quantity: 1
+        response.status.should == 200
+        json_response.should have_attributes(attributes)
+        return_authorization.reload.inventory_units.should_not be_empty
+      end
+
+      it "can mark a return authorization as received on the order with an inventory unit" do
+        FactoryGirl.create(:new_return_authorization, :order => order)
+        return_authorization = order.return_authorizations.first
+        return_authorization.state.should == "authorized"
+
+        # prep (use a rspec context or a factory instead?)
+        inventory_unit = return_authorization.returnable_inventory.first
+        inventory_unit.should be
+        return_authorization.inventory_units.should be_empty
+        api_put :add, :id => return_authorization.id, variant_id: inventory_unit.variant.id, quantity: 1
+        # end prep
+
+        api_delete :receive, :id => return_authorization.id
+        response.status.should == 200
+        return_authorization.reload.state.should == "received"
+      end
+
+      it "cannot mark a return authorization as received on the order with no inventory units" do
+        FactoryGirl.create(:new_return_authorization, :order => order)
+        return_authorization = order.return_authorizations.first
+        return_authorization.state.should == "authorized"
+        api_delete :receive, :id => return_authorization.id
+        response.status.should == 422
+        return_authorization.reload.state.should == "authorized"
+      end
+
+      it "can cancel a return authorization on the order" do
+        FactoryGirl.create(:new_return_authorization, :order => order)
+        return_authorization = order.return_authorizations.first
+        return_authorization.state.should == "authorized"
+        api_delete :cancel, :id => return_authorization.id
+        response.status.should == 200
+        return_authorization.reload.state.should == "canceled"
+      end
+
       it "can delete a return authorization on the order" do
         FactoryGirl.create(:return_authorization, :order => order)
         return_authorization = order.return_authorizations.first
@@ -140,7 +202,7 @@ module Spree
         return_authorization = order.return_authorizations.first
         api_delete :destroy, :id => return_authorization.id
         assert_unauthorized!
-        lambda { return_authorization.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+        lambda { return_authorization.reload }.should_not raise_error
       end
     end
   end

data/spec/controllers/spree/api/states_controller_spec.rb

@@ -19,7 +19,7 @@ module Spree
 
     context "pagination" do
       before do
-        State.should_receive(:scoped).and_return(@scope = stub)
+        State.should_receive(:scoped).and_return(@scope = double)
         @scope.stub_chain(:ransack, :result, :includes, :order).and_return(@scope)
       end
 

data/spec/controllers/spree/api/variants_controller_spec.rb

@@ -77,11 +77,9 @@ module Spree
     end
 
     context "pagination" do
-      default_per_page(1)
-
       it "can select the next page of variants" do
         second_variant = create(:variant)
-        api_get :index, :page => 2
+        api_get :index, :page => 2, :per_page => 1
         json_response["variants"].first.should have_attributes(attributes)
         json_response["total_count"].should == 3
         json_response["current_page"].should == 2
@@ -167,7 +165,7 @@ module Spree
       it "can delete a variant" do
         api_delete :destroy, :id => variant.to_param
         response.status.should == 204
-        lambda { variant.reload }.should raise_error(ActiveRecord::RecordNotFound)
+        lambda { Spree::Variant.find(variant.id) }.should raise_error(ActiveRecord::RecordNotFound)
       end
     end
 

data/spec/spec_helper.rb

@@ -16,6 +16,8 @@ ENV["RAILS_ENV"] ||= 'test'
 require File.expand_path("../dummy/config/environment", __FILE__)
 require 'rspec/rails'
 require 'rspec/autorun'
+require 'database_cleaner'
+require 'ffaker'
 
 # Requires supporting ruby files with custom matchers and macros, etc,
 # in spec/support/ and its subdirectories.
@@ -28,7 +30,7 @@ require 'spree/api/testing_support/helpers'
 require 'spree/api/testing_support/setup'
 
 RSpec.configure do |config|
-  config.backtrace_clean_patterns = [/gems\/activesupport/, /gems\/actionpack/, /gems\/rspec/]
+  config.backtrace_exclusion_patterns = [/gems\/activesupport/, /gems\/actionpack/, /gems\/rspec/]
   config.color = true
 
   config.include FactoryGirl::Syntax::Methods
@@ -36,9 +38,28 @@ RSpec.configure do |config|
   config.extend Spree::Api::TestingSupport::Setup, :type => :controller
   config.include Spree::TestingSupport::Preferences, :type => :controller
 
+  config.fail_fast = ENV['FAIL_FAST'] || false
+
   config.before do
     Spree::Api::Config[:requires_authentication] = true
   end
 
-  config.fail_fast = ENV['FAIL_FAST'] || false
+  # Using truncation to prevent Ruby 1.9.3 specific error:
+  # SQLite3::SQLException: cannot start a transaction within a transaction: begin transaction
+  # http://stackoverflow.com/questions/12220901/sqlite3sqlexception-when-using-database-cleaner-with-rails-spork-rspec
+  unless RUBY_VERSION >= '2.0.0'
+    # If you're not using ActiveRecord, or you'd prefer not to run each of your
+    # examples within a transaction, comment the following line or assign false
+    # instead of true.
+    config.use_transactional_fixtures = false
+
+    config.before do
+      DatabaseCleaner.strategy = :truncation
+      DatabaseCleaner.start
+    end
+
+    config.after do
+      DatabaseCleaner.clean
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.4
 platform: ruby
 authors:
 - Ryan Bigg
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-13 00:00:00.000000000 Z
+date: 2013-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: spree_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.4
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement