spree_api 2.0.5 → 2.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0c5fb9fd878e6c935137a8f09d6b4cffa35f78db
-  data.tar.gz: aef11d5c34c3cfa8f55c78fa0f987e493220618c
+  metadata.gz: 9cb2106c19046c8db51461b87b224d461e21fec1
+  data.tar.gz: e6acefe01a95c4b55e83b2ea0d651d7c205cf30f
 SHA512:
-  metadata.gz: 4ccb7dc808ccfe6a0badbcca88f2fee1c7f40bff832051b851384be324fbe1c9d97c128b9447d18c6d836a1f77b921fa8dab75c19be1ad73a48c68ea6f2e3652
-  data.tar.gz: 560ebb4f8b5019b23c3686e8f92131b5ec4a692923e6173e0c93b6740568527b2466b039787c84503c07908caf008a9aee2971cb7434514cb87df920eaed3e37
+  metadata.gz: f93f7762a47e706f13da9958f4d3993c9a69662cace7a8f68e3b47ee066e3df5a054309265d9a11bd59db7a5bb0c6df1cce8c3e5562617921317cc618b616578
+  data.tar.gz: 5da0e8c9a2b8960985e22049190a677d7415bbedf3e03d29b47a66a68c7707152df13a5336fa2433628d10337078f6a647893ec19c28f260defa7c10387710ef

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## Spree 2.0.6 ##
+
+* Normal users can no longer read stock item, stock location or stock movements API endpoints.
+
+  *Ryan Bigg*
+  
 ## Spree 2.0.x ##
 
 * PUT requests to Checkouts API endpoints now require authorization to alter an order.

data/app/controllers/spree/api/countries_controller.rb

@@ -1,6 +1,8 @@
 module Spree
   module Api
     class CountriesController < Spree::Api::BaseController
+      skip_before_filter :check_for_user_or_api_key
+      skip_before_filter :authenticate_user
 
       def index
         @countries = Country.ransack(params[:q]).result.

data/app/controllers/spree/api/orders_controller.rb

@@ -17,6 +17,7 @@ module Spree
       end
 
       def create
+        nested_params[:line_items_attributes] = sanitize_line_items(nested_params[:line_items_attributes])
         @order = Order.build_from_api(current_api_user, nested_params)
         respond_with(order, :default_template => :show, :status => 201)
       end
@@ -26,7 +27,7 @@ module Spree
         # Parsing line items through as an update_attributes call in the API will result in
         # many line items for the same variant_id being created. We must be smarter about this,
         # hence the use of the update_line_items method, defined within order_decorator.rb.
-        line_items_params = params[:order].delete("line_items")
+        line_items_params = sanitize_line_items(nested_params.delete("line_items_attributes"))
         if order.update_attributes(nested_params)
           order.update_line_items(line_items_params)
           order.line_items.reload
@@ -51,7 +52,20 @@ module Spree
       private
 
       def nested_params
-        map_nested_attributes_keys Order, params[:order] || {}
+        @nested_params ||= map_nested_attributes_keys(Order, params[:order] || {})
+      end
+
+      def sanitize_line_items(line_item_attributes)
+        return {} if line_item_attributes.blank?
+        line_item_attributes = line_item_attributes.map do |id, attributes|
+          # Faux Strong-Parameters code to strip price if user isn't an admin
+          if current_api_user.has_spree_role?("admin")
+            [id, attributes.slice(*Spree::LineItem.attr_accessible[:api])]
+          else
+            [id, attributes.slice(*Spree::LineItem.attr_accessible[:default])]
+          end
+        end
+        line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
       end
 
       def order

data/app/controllers/spree/api/payments_controller.rb

@@ -4,7 +4,7 @@ module Spree
       respond_to :json
 
       before_filter :find_order
-      before_filter :find_payment, :only => [:show, :authorize, :purchase, :capture, :void, :credit]
+      before_filter :find_payment, only: [:update, :show, :authorize, :purchase, :capture, :void, :credit]
 
       def index
         @payments = @order.payments.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -25,6 +25,17 @@ module Spree
         end
       end
 
+      def update
+        authorize! params[:action], @payment
+        if !@payment.pending?
+          render 'update_forbidden', status: 403
+        elsif @payment.update_attributes(params[:payment])
+          respond_with(@payment, default_template: :show)
+        else
+          invalid_resource!(@payment)
+        end
+      end
+
       def show
         respond_with(@payment)
       end
@@ -47,7 +58,7 @@ module Spree
 
       def credit
         if params[:amount].to_f > @payment.credit_allowed
-          render "spree/api/payments/credit_over_limit", :status => 422
+          render 'credit_over_limit', status: 422
         else
           perform_payment_action(:credit, params[:amount])
         end

data/app/controllers/spree/api/states_controller.rb

@@ -1,6 +1,8 @@
 module Spree
   module Api
     class StatesController < Spree::Api::BaseController
+      skip_before_filter :check_for_user_or_api_key
+      skip_before_filter :authenticate_user
 
       def index
         @states = scope.ransack(params[:q]).result.

data/app/controllers/spree/api/stock_items_controller.rb

@@ -4,11 +4,13 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
 
       def index
+        authorize! :read, StockItem
         @stock_items = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_items)
       end
 
       def show
+        authorize! :read, StockItem
         @stock_item = scope.find(params[:id])
         respond_with(@stock_item)
       end
@@ -66,7 +68,8 @@ module Spree
       end
 
       def scope
-        @stock_location.stock_items.includes(:variant => :product)
+        includes = {:variant => [{ :option_values => :option_type }, :product] }
+        @stock_location.stock_items.includes(includes)
       end
     end
   end

data/app/controllers/spree/api/stock_locations_controller.rb

@@ -2,11 +2,13 @@ module Spree
   module Api
     class StockLocationsController < Spree::Api::BaseController
       def index
-        @stock_locations = StockLocation.order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+        authorize! :read, StockLocation
+        @stock_locations = StockLocation.accessible_by(current_ability, :read).order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_locations)
       end
 
       def show
+        authorize! :read, StockLocation
         respond_with(stock_location)
       end
 

data/app/controllers/spree/api/stock_movements_controller.rb

@@ -4,11 +4,13 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
 
       def index
+        authorize! :read, StockMovement
         @stock_movements = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_movements)
       end
 
       def show
+        authorize! :read, StockMovement
         @stock_movement = scope.find(params[:id])
         respond_with(@stock_movement)
       end

data/app/helpers/spree/api/api_helpers.rb

@@ -28,7 +28,7 @@ module Spree
       end
 
       def option_value_attributes
-        [:id, :name, :presentation, :option_type_name, :option_type_id]
+        [:id, :name, :presentation, :option_type_name, :option_type_id, :option_type_presentation]
       end
 
       def order_attributes
@@ -44,7 +44,7 @@ module Spree
       end
 
       def payment_attributes
-        [:id, :source_type, :source_id, :amount, :payment_method_id, :response_code, :state, :avs_response, :created_at, :updated_at]
+        [:id, :source_type, :source_id, :amount, :display_amount, :payment_method_id, :response_code, :state, :avs_response, :created_at, :updated_at]
       end
 
       def payment_method_attributes
@@ -113,4 +113,3 @@ module Spree
     end
   end
 end
-

data/app/models/spree/line_item_decorator.rb

@@ -1,3 +1,3 @@
 Spree::LineItem.class_eval do
-  attr_accessible :quantity, :variant_id, :as => :api
+  attr_accessible :quantity, :variant_id, :price, :as => :api
 end

data/app/models/spree/option_value_decorator.rb

@@ -2,4 +2,8 @@ Spree::OptionValue.class_eval do
   def option_type_name
     option_type.name
   end
+
+  def option_type_presentation
+    option_type.presentation
+  end
 end

data/app/models/spree/order_decorator.rb

@@ -1,28 +1,34 @@
 Spree::Order.class_eval do
   def self.build_from_api(user, params)
-    completed_at = params.delete(:completed_at)
-    line_items = params.delete(:line_items_attributes) || {}
-    shipments = params.delete(:shipments_attributes) || []
-    payments = params.delete(:payments_attributes) || []
-    adjustments = params.delete(:adjustments_attributes) || []
+    begin
+      ensure_country_id_from_api params[:ship_address_attributes]
+      ensure_state_id_from_api params[:ship_address_attributes]
+      ensure_country_id_from_api params[:bill_address_attributes]
+      ensure_state_id_from_api params[:bill_address_attributes]
 
-    ensure_country_id_from_api params[:ship_address_attributes]
-    ensure_state_id_from_api params[:ship_address_attributes]
+      order = create!
+      order.associate_user!(user)
 
-    ensure_country_id_from_api params[:bill_address_attributes]
-    ensure_state_id_from_api params[:bill_address_attributes]
+      order.create_shipments_from_api params.delete(:shipments_attributes) || []
+      order.create_line_items_from_api params.delete(:line_items_attributes) || {}
+      order.create_adjustments_from_api params.delete(:adjustments_attributes) || []
+      order.create_payments_from_api params.delete(:payments_attributes) || []
+      order.complete_from_api params.delete(:completed_at)
 
-    order = create!(params)
-    order.associate_user!(user)
+      destroy_automatic_taxes_on_import(order, params)
+      order.update_attributes!(params)
 
-    order.create_shipments_from_api(shipments)
-    order.create_line_items_from_api(line_items)
-    order.create_adjustments_from_api(adjustments)
-    order.create_payments_from_api(payments)
-    order.complete_from_api(completed_at)
+      order.reload
+    rescue Exception => e
+      order.destroy if order && order.persisted?
+      raise e.message
+    end
+  end
 
-    order.save!
-    order.reload
+  def self.destroy_automatic_taxes_on_import(order, params)
+    if params.delete :import
+      order.adjustments.tax.destroy_all
+    end
   end
 
   def complete_from_api(completed_at)
@@ -37,6 +43,7 @@ Spree::Order.class_eval do
       begin
         shipment = shipments.build
         shipment.tracking = s[:tracking]
+        shipment.stock_location = Spree::StockLocation.find_by_name!(s[:stock_location])
 
         inventory_units = s[:inventory_units] || []
         inventory_units.each do |iu|
@@ -80,7 +87,7 @@ Spree::Order.class_eval do
 
         extra_params = line_item.except(:variant_id, :quantity)
         line_item = self.contents.add(Spree::Variant.find(line_item[:variant_id]), line_item[:quantity])
-        line_item.update_attributes(extra_params) unless extra_params.empty?
+        line_item.update_attributes(extra_params, as: :api) unless extra_params.empty?
       rescue Exception => e
         raise "#{e.message} #{line_item}"
       end
@@ -155,7 +162,7 @@ Spree::Order.class_eval do
   def update_line_items(line_item_params)
     return if line_item_params.blank?
     line_item_params.each do |id, attributes|
-      self.line_items.find(id).update_attributes!(attributes)
+      self.line_items.find(id).update_attributes!(attributes, :as => :api)
     end
     self.ensure_updated_shipments
   end

data/app/views/spree/api/payments/credit_over_limit.v1.rabl

@@ -1,2 +1,2 @@
 object false
-node(:error) { I18n.t(:credit_over_limit, :limit => @payment.credit_allowed, :scope => 'spree.api') }
+node(:error) { I18n.t(:credit_over_limit, :limit => @payment.credit_allowed, :scope => 'spree.api.payment') }

data/app/views/spree/api/payments/new.v1.rabl

@@ -3,4 +3,3 @@ node(:attributes) { [*payment_attributes] }
 child @payment_methods => :payment_methods do
   attributes *payment_method_attributes
 end
-

data/app/views/spree/api/payments/update_forbidden.v1.rabl

@@ -0,0 +1,2 @@
+object false
+node(:error) { I18n.t(:update_forbidden, :state => @payment.state, :scope => 'spree.api.payment') }

data/config/locales/en.yml

@@ -7,7 +7,6 @@ en:
       invalid_resource: "Invalid resource. Please fix errors and try again."
       resource_not_found: "The resource you were looking for could not be found."
       gateway_error: "There was a problem with the payment gateway: %{text}"
-      credit_over_limit: "This payment can only be credited up to %{limit}. Please specify an amount less than or equal to this number."
       access: "API Access"
       key: "Key"
       clear_key: "Clear key"
@@ -19,6 +18,9 @@ en:
       order:
         could_not_transition: "The order could not be transitioned. Please fix the errors and try again."
         invalid_shipping_method: "Invalid shipping method specified."
+      payment:
+        credit_over_limit: "This payment can only be credited up to %{limit}. Please specify an amount less than or equal to this number."
+        update_forbidden: "This payment cannot be updated because it is %{state}."
       shipment:
         cannot_ready: "Cannot ready shipment."
       stock_location_required: "A stock_location_id parameter must be provided in order to retrieve stock movements."

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -76,37 +76,23 @@ module Spree
         json_response["user_id"].should == current_api_user.id
       end
 
-      # Regression test for #3404
-      it "can specify additional parameters for a line item" do
+      it "cannot create an order with an abitrary price for the line item" do
         variant = create(:variant)
-        Order.should_receive(:create!).and_return(order = Spree::Order.new)
-        order.stub(:associate_user!)
-        order.stub_chain(:contents, :add).and_return(line_item = double('LineItem'))
-        line_item.should_receive(:update_attributes).with("special" => true)
-        api_post :create, :order => { 
+        api_post :create, :order => {
           :line_items => {
             "0" => {
-              :variant_id => variant.to_param, :quantity => 5, :special => true
+              :variant_id => variant.to_param,
+              :quantity => 5,
+              :price => 0.44
             }
           }
         }
         response.status.should == 201
-      end
-
-      # Regression test for #3404
-      it "does not update line item needlessly" do
-        variant = create(:variant)
-        Order.should_receive(:create!).and_return(order = Spree::Order.new)
-        order.stub(:associate_user!)
-        order.stub_chain(:contents, :add).and_return(line_item = double('LineItem'))
-        line_item.should_not_receive(:update_attributes)
-        api_post :create, :order => { 
-          :line_items => {
-            "0" => {
-              :variant_id => variant.to_param, :quantity => 5
-            }
-          }
-        }
+        order = Order.last
+        order.line_items.count.should == 1
+        order.line_items.first.variant.should == variant
+        order.line_items.first.quantity.should == 5
+        order.line_items.first.price.should == order.line_items.first.variant.price
       end
     end
 
@@ -155,17 +141,6 @@ module Spree
                                  :country_id => Country.first.id, :state_id => State.first.id} }
       let!(:payment_method) { create(:payment_method) }
 
-      it "can add line items" do
-        api_put :update, :id => order.to_param, :order => {
-          :line_items_attributes => [{:variant_id => create(:variant).id, :quantity => 2}] }
-
-        response.status.should == 200
-        json_response['item_total'].to_f.should_not == order.item_total.to_f
-        json_response['line_items'].count.should == 2
-        json_response['line_items'].first['quantity'].should == 1
-        json_response['line_items'].last['quantity'].should == 2
-      end
-
       it "updates quantities of existing line items" do
         api_put :update, :id => order.to_param, :order => {
           :line_items => {
@@ -178,6 +153,18 @@ module Spree
         json_response['line_items'].first['quantity'].should == 10
       end
 
+      it "cannot set a price for a line item" do
+        variant = create(:variant)
+        api_put :update, :id => order.to_param, :order => {
+          :line_items_attributes => { order.line_items.first.id =>
+            { :variant_id => variant.id, :quantity => 2, :price => 0.44}
+          }
+        }
+        response.status.should == 200
+        json_response['line_items'].count.should == 1
+        expect(json_response['line_items'].first['price']).to eq(variant.price.to_s)
+      end
+
       it "can add billing address" do
         api_put :update, :id => order.to_param, :order => { :bill_address_attributes => billing_address }
 

data/spec/controllers/spree/api/payments_controller_spec.rb

@@ -5,11 +5,12 @@ module Spree
     render_views
     let!(:order) { create(:order) }
     let!(:payment) { create(:payment, :order => order) }
-    let!(:attributes) { [:id, :source_type, :source_id, :amount,
+    let!(:attributes) { [:id, :source_type, :source_id, :amount, :display_amount,
                          :payment_method_id, :response_code, :state, :avs_response,
                          :created_at, :updated_at] }
 
     let(:resource_scoping) { { :order_id => order.to_param } }
+
     before do
       stub_authentication!
     end
@@ -43,6 +44,11 @@ module Spree
           json_response.should have_attributes(attributes)
         end
 
+        it "cannot update a payment" do
+          api_put :update, :id => payment.to_param, :payment => { :amount => 2.01 }
+          assert_unauthorized!
+        end
+
         it "cannot authorize a payment" do
           api_put :authorize, :id => payment.to_param
           assert_unauthorized!
@@ -93,76 +99,120 @@ module Spree
       end
 
       context "for a given payment" do
+        context "updating" do
+          it "can update" do
+            payment.update_column(:state, 'pending')
+            api_put :update, :id => payment.to_param, :payment => { :amount => 2.01 }
+            response.status.should == 200
+            payment.reload.amount.should == 2.01
+          end
 
-        it "can authorize" do
-          api_put :authorize, :id => payment.to_param
-          response.status.should == 200
-          payment.reload
-          payment.state.should == "pending"
+          context "update fails" do
+            it "returns a 422 status when the amount is invalid" do
+              payment.update_column(:state, 'pending')
+              api_put :update, :id => payment.to_param, :payment => { :amount => 'invalid' }
+              response.status.should == 422
+              json_response["error"].should == "Invalid resource. Please fix errors and try again."
+            end
+
+            it "returns a 403 status when the payment is not pending" do
+              payment.update_column(:state, 'complete')
+              api_put :update, :id => payment.to_param, :payment => { :amount => 2.01 }
+              response.status.should == 403
+              json_response["error"].should == "This payment cannot be updated because it is complete."
+            end
+          end
         end
 
-        it "returns a 422 status when authorization fails" do
-          fake_response = double(:success? => false, :to_s => "Could not authorize card")
-          Spree::Gateway::Bogus.any_instance.should_receive(:authorize).and_return(fake_response)
-          api_put :authorize, :id => payment.to_param
-          response.status.should == 422
-          json_response["error"].should == "There was a problem with the payment gateway: Could not authorize card"
-          payment.reload
-          payment.state.should == "failed"
-        end
+        context "authorizing" do
+          it "can authorize" do
+            api_put :authorize, :id => payment.to_param
+            response.status.should == 200
+            payment.reload.state.should == "pending"
+          end
 
-        it "can capture" do
-          api_put :capture, :id => payment.to_param
-          response.status.should == 200
-          payment.reload
-          payment.state.should == "completed"
+          context "authorization fails" do
+            before do
+              fake_response = double(:success? => false, :to_s => "Could not authorize card")
+              Spree::Gateway::Bogus.any_instance.should_receive(:authorize).and_return(fake_response)
+              api_put :authorize, :id => payment.to_param
+            end
+
+            it "returns a 422 status" do
+              response.status.should == 422
+              json_response["error"].should == "There was a problem with the payment gateway: Could not authorize card"
+            end
+
+            it "does not raise a stack level error" do
+              pending "Investigate why a payment.reload after the request raises 'stack level too deep'"
+              payment.reload.state.should == "failed"
+            end
+          end
         end
 
-        it "returns a 422 status when purchasing fails" do
-          fake_response = double(:success? => false, :to_s => "Insufficient funds")
-          Spree::Gateway::Bogus.any_instance.should_receive(:capture).and_return(fake_response)
-          api_put :capture, :id => payment.to_param
-          response.status.should == 422
-          json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
-
-          payment.reload
-          payment.state.should == "failed"
-        end
+        context "capturing" do
+          it "can capture" do
+            api_put :capture, :id => payment.to_param
+            response.status.should == 200
+            payment.reload.state.should == "completed"
+          end
 
-        it "can purchase" do
-          api_put :purchase, :id => payment.to_param
-          response.status.should == 200
-          payment.reload
-          payment.state.should == "completed"
+          context "capturing fails" do
+            before do
+              fake_response = double(:success? => false, :to_s => "Insufficient funds")
+              Spree::Gateway::Bogus.any_instance.should_receive(:capture).and_return(fake_response)
+            end
+
+            it "returns a 422 status" do
+              api_put :capture, :id => payment.to_param
+              response.status.should == 422
+              json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
+            end
+          end
         end
 
-        it "returns a 422 status when purchasing fails" do
-          fake_response = double(:success? => false, :to_s => "Insufficient funds")
-          Spree::Gateway::Bogus.any_instance.should_receive(:purchase).and_return(fake_response)
-          api_put :purchase, :id => payment.to_param
-          response.status.should == 422
-          json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
+        context "purchasing" do
+          it "can purchase" do
+            api_put :purchase, :id => payment.to_param
+            response.status.should == 200
+            payment.reload.state.should == "completed"
+          end
 
-          payment.reload
-          payment.state.should == "failed"
+          context "purchasing fails" do
+            before do
+              fake_response = double(:success? => false, :to_s => "Insufficient funds")
+              Spree::Gateway::Bogus.any_instance.should_receive(:purchase).and_return(fake_response)
+            end
+
+            it "returns a 422 status" do
+              api_put :purchase, :id => payment.to_param
+              response.status.should == 422
+              json_response["error"].should == "There was a problem with the payment gateway: Insufficient funds"
+            end
+          end
         end
 
-        it "can void" do
-          api_put :void, :id => payment.to_param
-          response.status.should == 200
-          payment.reload
-          payment.state.should == "void"
-        end
+        context "voiding" do
+          it "can void" do
+            api_put :void, :id => payment.to_param
+            response.status.should == 200
+            payment.reload.state.should == "void"
+          end
 
-        it "returns a 422 status when voiding fails" do
-          fake_response = double(:success? => false, :to_s => "NO REFUNDS")
-          Spree::Gateway::Bogus.any_instance.should_receive(:void).and_return(fake_response)
-          api_put :void, :id => payment.to_param
-          response.status.should == 422
-          json_response["error"].should == "There was a problem with the payment gateway: NO REFUNDS"
+          context "voiding fails" do
+            before do
+              fake_response = double(:success? => false, :to_s => "NO REFUNDS")
+              Spree::Gateway::Bogus.any_instance.should_receive(:void).and_return(fake_response)
+            end
 
-          payment.reload
-          payment.state.should == "checkout"
+            it "returns a 422 status" do
+              api_put :void, :id => payment.to_param
+              response.status.should == 422
+              json_response["error"].should == "There was a problem with the payment gateway: NO REFUNDS"
+
+              payment.reload.state.should == "checkout"
+            end
+          end
         end
 
         context "crediting" do
@@ -173,31 +223,30 @@ module Spree
           it "can credit" do
             api_put :credit, :id => payment.to_param
             response.status.should == 200
-            payment.reload
-            payment.state.should == "completed"
+            payment.reload.state.should == "completed"
 
-            # Ensur that a credit payment was created, and it has correct credit amount
+            # Ensure that a credit payment was created, and it has correct credit amount
             credit_payment = Payment.where(:source_type => 'Spree::Payment', :source_id => payment.id).last
             credit_payment.amount.to_f.should == -45.75
           end
 
-          it "returns a 422 status when crediting fails" do
-            fake_response = double(:success? => false, :to_s => "NO CREDIT FOR YOU")
-            Spree::Gateway::Bogus.any_instance.should_receive(:credit).and_return(fake_response)
-            api_put :credit, :id => payment.to_param
-            response.status.should == 422
-            json_response["error"].should == "There was a problem with the payment gateway: NO CREDIT FOR YOU"
-          end
-
-          it "cannot credit over credit_allowed limit" do
-            api_put :credit, :id => payment.to_param, :amount => 1000000
-            response.status.should == 422
-            json_response["error"].should == "This payment can only be credited up to 45.75. Please specify an amount less than or equal to this number."
+          context "crediting fails" do
+            it "returns a 422 status" do
+              fake_response = double(:success? => false, :to_s => "NO CREDIT FOR YOU")
+              Spree::Gateway::Bogus.any_instance.should_receive(:credit).and_return(fake_response)
+              api_put :credit, :id => payment.to_param
+              response.status.should == 422
+              json_response["error"].should == "There was a problem with the payment gateway: NO CREDIT FOR YOU"
+            end
+
+            it "cannot credit over credit_allowed limit" do
+              api_put :credit, :id => payment.to_param, :amount => 1000000
+              response.status.should == 422
+              json_response["error"].should == "This payment can only be credited up to 45.75. Please specify an amount less than or equal to this number."
+            end
           end
         end
       end
-
     end
-
   end
 end

data/spec/controllers/spree/api/stock_items_controller_spec.rb

@@ -13,40 +13,76 @@ module Spree
       stub_authentication!
     end
 
-    it 'gets list of stock items' do
-      api_get :index, stock_location_id: stock_location.to_param
-      json_response['stock_items'].first.should have_attributes(attributes)
-      json_response['stock_items'].first['variant']['sku'].should eq 'ABC'
-    end
+    context "as a normal user" do
+      it "cannot list stock items for a stock location" do
+        api_get :index, stock_location_id: stock_location.to_param
+        response.status.should == 401
+      end
 
-    it 'requires a stock_location_id to be passed as a parameter' do
-      api_get :index
-      json_response['error'].should =~ /stock_location_id parameter must be provided/
-      response.status.should == 422
-    end
+      it "cannot see a stock item" do
+        api_get :show, stock_location_id: stock_location.to_param, id: stock_item.to_param
+        response.status.should == 401
+      end
 
-    it 'can control the page size through a parameter' do
-      api_get :index, stock_location_id: stock_location.to_param, per_page: 1
-      json_response['count'].should == 1
-      json_response['current_page'].should == 1
-    end
+      it "cannot create a stock item" do
+        variant = create(:variant)
+        params = {
+          stock_location_id: stock_location.to_param,
+          stock_item: {
+            variant_id: variant.id,
+            count_on_hand: '20'
+          }
+        }
 
-    it 'can query the results through a paramter' do
-      stock_item.update_column(:count_on_hand, 30)
-      api_get :index, stock_location_id: stock_location.to_param, q: { count_on_hand_eq: '30' }
-      json_response['count'].should == 1
-      json_response['stock_items'].first['count_on_hand'].should eq 30
-    end
+        api_post :create, params
+        response.status.should == 401
+      end
+
+      it "cannot update a stock item" do
+        api_put :update, stock_location_id: stock_location.to_param, stock_item_id: stock_item.to_param
+        response.status.should == 401
+      end
 
-    it 'gets a stock item' do
-      api_get :show, stock_location_id: stock_location.to_param, id: stock_item.to_param
-      json_response.should have_attributes(attributes)
-      json_response['count_on_hand'].should eq stock_item.count_on_hand
+      it "cannot destroy a stock item" do
+        api_delete :destroy, stock_location_id: stock_location.to_param, stock_item_id: stock_item.to_param
+        response.status.should == 401
+      end
     end
 
-    context 'as an admin' do
+    context "as an admin" do
       sign_in_as_admin!
 
+      it 'cannot list of stock items' do
+        api_get :index, stock_location_id: stock_location.to_param
+        json_response['stock_items'].first.should have_attributes(attributes)
+        json_response['stock_items'].first['variant']['sku'].should eq 'ABC'
+      end
+
+      it 'requires a stock_location_id to be passed as a parameter' do
+        api_get :index
+        json_response['error'].should =~ /stock_location_id parameter must be provided/
+        response.status.should == 422
+      end
+
+      it 'can control the page size through a parameter' do
+        api_get :index, stock_location_id: stock_location.to_param, per_page: 1
+        json_response['count'].should == 1
+        json_response['current_page'].should == 1
+      end
+
+      it 'can query the results through a paramter' do
+        stock_item.update_column(:count_on_hand, 30)
+        api_get :index, stock_location_id: stock_location.to_param, q: { count_on_hand_eq: '30' }
+        json_response['count'].should == 1
+        json_response['stock_items'].first['count_on_hand'].should eq 30
+      end
+
+      it 'gets a stock item' do
+        api_get :show, stock_location_id: stock_location.to_param, id: stock_item.to_param
+        json_response.should have_attributes(attributes)
+        json_response['count_on_hand'].should eq stock_item.count_on_hand
+      end
+
       it 'can create a new stock item' do
         variant = create(:variant)
         # Creating a variant also creates stock items.

data/spec/controllers/spree/api/stock_locations_controller_spec.rb

@@ -11,45 +11,72 @@ module Spree
       stub_authentication!
     end
 
-    it "gets list of stock locations" do
-      api_get :index
-      json_response['stock_locations'].first.should have_attributes(attributes)
-    end
+    context "as a user" do
+      it "cannot see stock locations" do
+        api_get :index
+        response.status.should == 401
+      end
 
-    it "includes the country" do
-      api_get :index
-      json_response['stock_locations'].first['country'].should_not be_nil
-    end
+      it "cannot see a single stock location" do
+        api_get :show, :id => stock_location.id
+        response.status.should == 401
+      end
 
-    it "includes the state" do
-      api_get :index
-      json_response['stock_locations'].first['state'].should_not be_nil
-    end
+      it "cannot create a new stock location" do
+        params = {
+          stock_location: {
+            name: "North Pole",
+            active: true
+          }
+        }
 
-    it 'can control the page size through a parameter' do
-      create(:stock_location)
-      api_get :index, per_page: 1
-      json_response['count'].should == 1
-      json_response['current_page'].should == 1
-      json_response['pages'].should == 2
-    end
+        api_post :create, params
+        response.status.should == 401
+      end
 
-    it 'can query the results through a paramter' do
-      expected_result = create(:stock_location, name: 'South America')
-      api_get :index, q: { name_cont: 'south' }
-      json_response['count'].should == 1
-      json_response['stock_locations'].first['name'].should eq expected_result.name
-    end
+      it "cannot update a stock location" do
+        api_put :update, :stock_location => { :name => "South Pole" }, :id => stock_location.to_param
+        response.status.should == 401
+      end
 
-    it "gets a stock location" do
-      api_get :show, id: stock_location.to_param
-      json_response.should have_attributes(attributes)
-      json_response['name'].should eq stock_location.name
+      it "cannot delete a stock location" do
+        api_put :destroy, :id => stock_location.to_param
+        response.status.should == 401
+      end
     end
 
+    
     context "as an admin" do
       sign_in_as_admin!
 
+      it "gets list of stock locations" do
+        api_get :index
+        json_response['stock_locations'].first.should have_attributes(attributes)
+        json_response['stock_locations'].first['country'].should_not be_nil
+        json_response['stock_locations'].first['state'].should_not be_nil
+      end
+
+      it 'can control the page size through a parameter' do
+        create(:stock_location)
+        api_get :index, per_page: 1
+        json_response['count'].should == 1
+        json_response['current_page'].should == 1
+        json_response['pages'].should == 2
+      end
+
+      it 'can query the results through a paramter' do
+        expected_result = create(:stock_location, name: 'South America')
+        api_get :index, q: { name_cont: 'south' }
+        json_response['count'].should == 1
+        json_response['stock_locations'].first['name'].should eq expected_result.name
+      end
+
+      it "gets a stock location" do
+        api_get :show, id: stock_location.to_param
+        json_response.should have_attributes(attributes)
+        json_response['name'].should eq stock_location.name
+      end
+
       it "can create a new stock location" do
         params = {
           stock_location: {

data/spec/controllers/spree/api/stock_movements_controller_spec.rb

@@ -13,41 +13,65 @@ module Spree
       stub_authentication!
     end
 
-    it 'gets list of stock movements' do
-      api_get :index, stock_location_id: stock_location.to_param
-      json_response['stock_movements'].first.should have_attributes(attributes)
-      json_response['stock_movements'].first['stock_item']['count_on_hand'].should eq 11
-    end
-
-    it 'requires a stock_location_id to be passed as a parameter' do
-      api_get :index
-      json_response['error'].should =~ /stock_location_id parameter must be provided/
-      response.status.should == 422
-    end
+    context 'as a user' do
+      it 'cannot see a list of stock movements' do
+        api_get :index, stock_location_id: stock_location.to_param
+        response.status.should == 401
+      end
 
-    it 'can control the page size through a parameter' do
-      create(:stock_movement, stock_item: stock_item)
-      api_get :index, stock_location_id: stock_location.to_param, per_page: 1
-      json_response['count'].should == 1
-      json_response['current_page'].should == 1
-      json_response['pages'].should == 2
-    end
+      it 'cannot see a stock movement' do
+        api_get :show, stock_location_id: stock_location.to_param, id: stock_movement.id
+        response.status.should == 401
+      end
 
-    it 'can query the results through a paramter' do
-      expected_result = create(:stock_movement, :received, quantity: 10, stock_item: stock_item)
-      api_get :index, stock_location_id: stock_location.to_param, q: { quantity_eq: '10' }
-      json_response['count'].should == 1
-    end
+      it 'cannot create a stock movement' do
+        params = {
+          stock_location_id: stock_location.to_param,
+          stock_movement: {
+            stock_item_id: stock_item.to_param
+          }
+        }
 
-    it 'gets a stock movement' do
-      api_get :show, stock_location_id: stock_location.to_param, id: stock_movement.to_param
-      json_response.should have_attributes(attributes)
-      json_response['stock_item_id'].should eq stock_movement.stock_item_id
+        api_post :create, params
+        response.status.should == 401
+      end
     end
 
     context 'as an admin' do
       sign_in_as_admin!
 
+      it 'gets list of stock movements' do
+        api_get :index, stock_location_id: stock_location.to_param
+        json_response['stock_movements'].first.should have_attributes(attributes)
+        json_response['stock_movements'].first['stock_item']['count_on_hand'].should eq 11
+      end
+
+      it 'requires a stock_location_id to be passed as a parameter' do
+        api_get :index
+        json_response['error'].should =~ /stock_location_id parameter must be provided/
+        response.status.should == 422
+      end
+
+      it 'can control the page size through a parameter' do
+        create(:stock_movement, stock_item: stock_item)
+        api_get :index, stock_location_id: stock_location.to_param, per_page: 1
+        json_response['count'].should == 1
+        json_response['current_page'].should == 1
+        json_response['pages'].should == 2
+      end
+
+      it 'can query the results through a paramter' do
+        expected_result = create(:stock_movement, :received, quantity: 10, stock_item: stock_item)
+        api_get :index, stock_location_id: stock_location.to_param, q: { quantity_eq: '10' }
+        json_response['count'].should == 1
+      end
+
+      it 'gets a stock movement' do
+        api_get :show, stock_location_id: stock_location.to_param, id: stock_movement.to_param
+        json_response.should have_attributes(attributes)
+        json_response['stock_item_id'].should eq stock_movement.stock_item_id
+      end
+
       it 'can create a new stock movement' do
         params = {
           stock_location_id: stock_location.to_param,

data/spec/models/spree/order_spec.rb

@@ -2,22 +2,25 @@ require 'spec_helper'
 
 module Spree
   describe Order do
-    let!(:country) { FactoryGirl.create(:country) }
-    let!(:state) { country.states.first || FactoryGirl.create(:state, :country => country) }
-    let!(:stock_location) { FactoryGirl.create(:stock_location) }
+    let!(:country) { create(:country) }
+    let!(:state) { country.states.first || create(:state, :country => country) }
+    let!(:stock_location) { create(:stock_location) }
 
     let(:user) { stub_model(LegacyUser, :email => 'fox@mudler.com') }
     let(:shipping_method) { create(:shipping_method) }
     let(:payment_method) { create(:payment_method) }
+
     let(:product) { product = Spree::Product.create(:name => 'Test',
                                            :sku => 'TEST-1',
                                            :price => 33.22)
-                    product.shipping_category = FactoryGirl.create(:shipping_category)
+                    product.shipping_category = create(:shipping_category)
                     product.save
                     product }
+
     let(:variant) { variant = product.master
                     variant.stock_items.each { |si| si.update_attribute(:count_on_hand, 10) }
                     variant }
+
     let(:sku) { variant.sku }
     let(:variant_id) { variant.id }
 
@@ -49,15 +52,23 @@ module Spree
       order.state.should eq 'complete'
     end
 
-    it 'can build an order from API with just line items' do
-      params = { :line_items_attributes => line_items }
+    context "build order with line items" do
+      let(:attributes) do
+        { :variant_id => variant.id, :quantity => 5, :price => 33.77 }
+      end
 
-      Order.should_receive(:ensure_variant_id_from_api)
-      order = Order.build_from_api(user, params)
-      order.user.should == nil
-      line_item = order.line_items.first
-      line_item.quantity.should == 5
-      line_item.variant_id.should == variant_id
+      it 'can build an order from API with just line items' do
+        params = { :line_items_attributes => { "0" => attributes } }
+        Order.should_receive(:ensure_variant_id_from_api)
+        order = Order.build_from_api(user, params)
+
+        order.user.should == nil
+        line_item = order.line_items.first
+
+        expect(line_item.quantity).to eq attributes[:quantity]
+        expect(line_item.variant_id).to eq attributes[:variant_id]
+        expect(line_item.price).to eq attributes[:price]
+      end
     end
 
     it 'handles line_item building exceptions' do
@@ -164,6 +175,13 @@ module Spree
       end
     end
 
+    it "raises with proper message when cant find country" do
+      address = { :country => { "name" => "NoNoCountry" } }
+      expect {
+        Order.ensure_country_id_from_api(address)
+      }.to raise_error /NoNoCountry/
+    end
+
     it 'ensures_state_id for state fields' do
       [:name, :abbr].each do |field|
         address = { :state => { field => state.send(field) }}
@@ -172,12 +190,20 @@ module Spree
       end
     end
 
+    it "raises with proper message when cant find state" do
+      address = { :state => { "name" => "NoNoState" } }
+      expect {
+        Order.ensure_state_id_from_api(address)
+      }.to raise_error /NoNoState/
+    end
+
     context "shippments" do
       let(:params) do
         { :shipments_attributes => [
             { :tracking => '123456789',
               :cost => '4.99',
               :shipping_method => shipping_method.name,
+              :stock_location => stock_location.name,
               :inventory_units => [{ :sku => sku }]
             }
         ] }
@@ -195,6 +221,14 @@ module Spree
         shipment.inventory_units.first.variant_id.should eq product.master.id
         shipment.tracking.should eq '123456789'
         shipment.shipping_rates.first.cost.should eq 4.99
+        shipment.stock_location.should eq stock_location
+      end
+
+      it "raises if cant find stock location" do
+        params[:shipments_attributes][0][:stock_location] = "doesnt exist"
+        expect {
+          order = Order.build_from_api(user, params)
+        }.to raise_error
       end
     end
 
@@ -244,5 +278,40 @@ module Spree
         order = Order.build_from_api(user, params)
       }.to raise_error /XXX/
     end
+
+    context "raises error" do
+      it "clears out order from db" do
+        params = { :payments_attributes => [{ payment_method: "XXX" }] }
+        count = Order.count
+
+        expect { order = Order.build_from_api(user, params) }.to raise_error
+        expect(Order.count).to eq count
+      end
+    end
+
+    context "import param and tax adjustments" do
+      let!(:tax_rate) { create(:tax_rate, amount: 0.05, calculator: Calculator::DefaultTax.create) }
+      let(:other_variant) { create(:variant) }
+
+      let(:line_item_attributes) do
+        line_items.merge({ "1" => { :variant_id => other_variant.id, :quantity => 5 }})
+      end
+
+      before { Zone.stub default_tax: tax_rate.zone }
+
+      it "doesnt create any tax ajustments when importing order" do
+        params = { import: true, line_items_attributes: line_item_attributes }
+        expect {
+          Order.build_from_api(user, params)
+        }.not_to change { Adjustment.count }
+      end
+
+      it "does create tax adjustments if not importing order" do
+        params = { import: false, line_items_attributes: line_item_attributes }
+        expect {
+          Order.build_from_api(user, params)
+        }.to change { Adjustment.count }
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 2.0.5
+  version: 2.0.6
 platform: ruby
 authors:
 - Ryan Bigg
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-16 00:00:00.000000000 Z
+date: 2013-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: spree_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.0.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.0.5
+        version: 2.0.6
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement
@@ -131,6 +131,7 @@ files:
 - app/views/spree/api/payments/index.v1.rabl
 - app/views/spree/api/payments/new.v1.rabl
 - app/views/spree/api/payments/show.v1.rabl
+- app/views/spree/api/payments/update_forbidden.v1.rabl
 - app/views/spree/api/product_properties/index.v1.rabl
 - app/views/spree/api/product_properties/new.v1.rabl
 - app/views/spree/api/product_properties/show.v1.rabl