spree_api 2.0.13 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 11ec9a4be38940cdcb37e0da4e53310737055e65
-  data.tar.gz: fc44b0f7133cae83461d2592675ff23ce342a8e2
+  metadata.gz: dfb4c3dcac67a8017157cb9f0bab935ffd2ed231
+  data.tar.gz: 5ea1ffe4ce5e5e26634854678c681e3393fb6452
 SHA512:
-  metadata.gz: bdd6f52a13b1e509580a31f4b2fbc19516b444663f14ea7f3de3928982fe43f72469d4ed439aa05c6ebb09867f881cf684b543085fa26f0917d6d4f6d609028c
-  data.tar.gz: c573fc40381016d1e8c35a5903fafd1655d0c7b7f1162c2e1e17e16c8a1ebf957b93b4f7f043aebf3844a53a2aacbd7f21d73935c2cca715f1733d1a54081098
+  metadata.gz: 9fdf42407d740136db1e10849a1ce905875610b11edfc1d09b87b485512ce8a45614f6cf9d56a2d92ba3683ca89b825532143f1d63b78930a60b43f20d932939
+  data.tar.gz: c3c79a95eb9d04abe381054af8b9d415ee3956ede11355b972cf0d1cfccfd1976be11da23a7dae687f71102f19efe8c087fe7c58f354d56e5ab93a97dc6863ab

data/CHANGELOG.md

@@ -1 +1,99 @@
-## Spree 2.0.10 (unreleased) ##
+## Spree 2.1.0 ##
+
+* The Products API endpoint now returns an additional key called `shipping_category_id`, and also requires `shipping_category_id` on create.
+
+    *Jeff Dutil*
+
+* The Products API endpoint now returns an additional key called `display_price`, which is the proper rendering of the price of a product.
+
+    *Ryan Bigg*
+
+* The Images API's `attachment_url` key has been removed in favour of keys that reflect the current image styles available in the application, such as `mini_url` and `product_url`. Use these now to references images.
+
+    *Ryan Bigg*
+
+* Fix issue where calling OrdersController#update with line item parameters would *always* create new line items, rather than updating existing ones.
+
+    *Ryan Bigg*
+
+* The Orders API endpoint now returns an additional key called `display_item_total`, which is the proper rendering of the total line item price of an order.
+
+    *Ryan Bigg*
+
+* Include a `per_page` key in Products API end response so that libraries like jQuery.simplePagination can use this to display a pagination element on the page.
+
+    *Ryan Bigg*
+
+* Line item responses now contain `single_display_amount` and `display_amount` for "pretty" versions of the single and total amount for a line item, as well as a `total` node which is an "ugly" version of the total amount of a line item.
+
+    *Ryan Bigg*
+
+* /api/orders endpoints now accept a `?order_token` parameter which should be the order's token. This can be used to authorize actions on an order without having to pass in an API key.
+
+    *Ryan Bigg*
+
+* Requests to POST /api/line_items will now update existing line items. For example if you have a line item with a variant ID=2 and quantity=10 and you attempt to create a new line item for the same variant with a quantity of 5, the existing line item's quantity will be updated to 15. Previously, a new line item would erroneously be created.
+
+    *Ryan Bigg*
+
+* /api/countries now will a 304 response if no country has been changed since the last request.
+
+    *Ryan Bigg*
+
+* The Shipments API no longer returns inventory units. Instead, it will return manifest objects. This is necessary due to the split shipments changes brought in by Spree 2.
+
+    *Ryan Bigg*
+
+* Checkouts API's update action will now correctly process line item attributes (either `line_items` or `line_item_attributes`)
+
+    *Ryan Bigg*
+
+* The structure of shipments data in the API has changed. Shipments can now have many shipping methods, shipping rates (which in turn have many zones and shipping categories), as well as a new key called "manifest" which returns the list of items contained within just this shipment for the order.
+
+    *Ryan Bigg*
+
+* Address responses now contain a `full_name` attribute.
+
+    *Ryan Bigg*
+
+* Shipments responses now contain a `selected_shipping_rate` key, so that you don't have to sort through the list of `shipping_rates` to get the selected one.
+
+    *Ryan Bigg*
+
+* Checkouts API now correctly processes incoming payment data during the payment step.
+
+    *Ryan Bigg*
+
+* Fix issue where `set_current_order` before filter would be called when CheckoutsController actions were run, causing the order object to be deleted. #3306
+
+    *Ryan Bigg*
+
+* An order can no longer transition past the "cart" state without first having a line item. #3312
+
+    *Ryan Bigg*
+
+* Attributes other than "quantity" and "variant_id" will be added to a line item when creating along with an order. #3404
+
+    *Alex Marles & Ryan Bigg*
+
+* Requests to POST /api/line_items will now update existing line items. For example if you have a line item with a variant ID=2 and quantity=10 and you attempt to create a new line item for the same variant with a quantity of 5, the existing line item's quantity will be updated to 15. Previously, a new line item would erroneously be created.
+
+    * Ryan Bigg
+
+* Checkouts API's update action will now correctly process line item attributes (either `line_items` or `line_item_attributes`)
+
+    * Ryan Bigg
+
+* Taxon attributes from `/api/taxons` are now returned within `taxons` subkey. Before:
+
+```json
+[{ name: 'Ruby' ... }]
+```
+
+Now:
+
+```json
+{ taxons: [{ name: 'Ruby' }]}
+```
+
+    * Ryan Bigg

data/app/controllers/spree/api/addresses_controller.rb

@@ -13,7 +13,7 @@ module Spree
         authorize! :update, @order, params[:order_token]
         find_address
 
-        if @address.update_attributes(params[:address])
+        if @address.update_attributes(address_params)
           respond_with(@address, :default_template => :show)
         else
           invalid_resource!(@address)
@@ -21,9 +21,12 @@ module Spree
       end
 
       private
+        def address_params
+          params.require(:address).permit(permitted_address_attributes)
+        end
 
         def find_order
-          @order = Spree::Order.find_by_number!(params[:order_id])
+          @order = Spree::Order.find_by!(number: params[:order_id])
         end
 
         def find_address

data/app/controllers/spree/api/base_controller.rb

@@ -3,11 +3,12 @@ require_dependency 'spree/api/controller_setup'
 module Spree
   module Api
     class BaseController < ActionController::Metal
+      include ActionController::StrongParameters
       include Spree::Api::ControllerSetup
       include Spree::Core::ControllerHelpers::SSL
+      include Spree::Core::ControllerHelpers::StrongParameters
       include ::ActionController::Head
-      include ::ActionController::Redirecting
-      include Spree::Core::Engine.routes.url_helpers
+      include ::ActionController::ConditionalGet
 
       self.responder = Spree::Api::Responders::AppResponder
 
@@ -17,7 +18,6 @@ module Spree
 
       before_filter :set_content_type
       before_filter :check_for_user_or_api_key, :if => :requires_authentication?
-      before_filter :authorize_for_order, :if => Proc.new { order_token.present? }
       before_filter :authenticate_user
       after_filter  :set_jsonp_format
 
@@ -31,7 +31,7 @@ module Spree
 
       def set_jsonp_format
         if params[:callback] && request.get?
-          self.response_body = "#{params[:callback]}(#{response.body})"
+          self.response_body = "#{params[:callback]}(#{self.response_body})"
           headers["Content-Type"] = 'application/javascript'
         end
       end
@@ -61,14 +61,14 @@ module Spree
         # User is already authenticated with Spree, make request this way instead.
         return true if @current_api_user = try_spree_current_user || !Spree::Api::Config[:requires_authentication]
 
-        if api_key.blank? && order_token.blank?
+        if api_key.blank?
           render "spree/api/errors/must_specify_api_key", :status => 401 and return
         end
       end
 
       def authenticate_user
         unless @current_api_user
-          if order_token.blank? && (requires_authentication? || api_key.present?)
+          if requires_authentication? || api_key.present?
             unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
               render "spree/api/errors/invalid_api_key", :status => 401 and return
             end
@@ -84,6 +84,9 @@ module Spree
       end
 
       def error_during_processing(exception)
+        Rails.logger.error exception.message
+        Rails.logger.error exception.backtrace.join("\n")
+
         render :text => { :exception => exception.message }.to_json,
           :status => 422 and return
       end
@@ -106,14 +109,10 @@ module Spree
       end
 
       def api_key
-        request.headers["X-Spree-Token"] || params[:token]
+        request.headers.env["X-Spree-Token"] || params[:token]
       end
       helper_method :api_key
 
-      def order_token
-        request.headers["X-Spree-Order-Token"] || params[:order_token]
-      end
-
       def find_product(id)
         begin
           product_scope.find_by_permalink!(id.to_s)
@@ -124,23 +123,17 @@ module Spree
 
       def product_scope
         if current_api_user.has_spree_role?("admin")
-          scope = Product
-          if params[:show_deleted]
-            scope = scope.with_deleted
+          scope = Product.with_deleted.accessible_by(current_ability, :read)
+          unless params[:show_deleted]
+            scope = scope.not_deleted
           end
         else
-          scope = Product.active
+          scope = Product.accessible_by(current_ability, :read).active
         end
 
         scope.includes(:master)
       end
 
-      def authorize_for_order
-        @order = Spree::Order.find_by_number(params[:order_id] || params[:id])
-        unless @order.token == order_token
-          unauthorized
-        end
-      end
     end
   end
 end

data/app/controllers/spree/api/checkouts_controller.rb

@@ -1,6 +1,7 @@
 module Spree
   module Api
     class CheckoutsController < Spree::Api::BaseController
+      before_filter :load_order,     only: [:show, :update, :next, :advance]
       before_filter :associate_user, only: :update
 
       include Spree::Core::ControllerHelpers::Auth
@@ -8,15 +9,13 @@ module Spree
       # This before_filter comes from Spree::Core::ControllerHelpers::Order
       skip_before_filter :set_current_order
 
-      respond_to :json
-
       def create
+        authorize! :create, Order
         @order = Order.build_from_api(current_api_user, nested_params)
         respond_with(@order, default_template: 'spree/api/orders/show', status: 201)
       end
 
       def next
-        load_order(true)
         authorize! :update, @order, params[:order_token]
         @order.next!
         respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
@@ -25,30 +24,27 @@ module Spree
       end
 
       def advance
-        load_order(true)
         authorize! :update, @order, params[:order_token]
         while @order.next; end
         respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
       end
 
       def show
-        redirect_to(api_order_path(params[:id]), status: 301)
+        respond_with(@order, default_template: 'spree/api/orders/show', status: 200)
       end
 
       def update
-        load_order(true)
         authorize! :update, @order, params[:order_token]
         order_params = object_params
-        user_id = order_params.delete(:user_id)
-        line_items = order_params.delete("line_items_attributes")
-        if @order.update_attributes(order_params)
+        line_items = order_params.delete('line_items_attributes')
+        if @order.update_attributes(object_params)
           @order.update_line_items(line_items)
-          if current_api_user.has_spree_role?("admin") && user_id.present?
+          if current_api_user.has_spree_role?('admin') && user_id.present?
             @order.associate_user!(Spree.user_class.find(user_id))
           end
           return if after_update_attributes
           state_callback(:after) if @order.next
-          respond_with(@order, :default_template => 'spree/api/orders/show')
+          respond_with(@order, default_template: 'spree/api/orders/show')
         else
           invalid_resource!(@order)
         end
@@ -60,15 +56,27 @@ module Spree
           # For payment step, filter order parameters to produce the expected nested attributes for a single payment and its source, discarding attributes for payment methods other than the one selected
           # respond_to check is necessary due to issue described in #2910
           object_params = nested_params
-          if @order.has_checkout_step?("payment") && @order.payment?
-            if object_params[:payment_source].present? && source_params = object_params.delete(:payment_source)[object_params[:payments_attributes].first[:payment_method_id].underscore]
+          if @order.has_checkout_step?('payment') && @order.payment?
+            if object_params[:payments_attributes].is_a?(Hash)
+              object_params[:payments_attributes] = [object_params[:payments_attributes]]
+            end
+            if object_params[:payment_source].present? && source_params = object_params.delete(:payment_source)[object_params[:payments_attributes].first[:payment_method_id]]
               object_params[:payments_attributes].first[:source_attributes] = source_params
             end
-            if object_params.present? && object_params[:payments_attributes]
-              object_params[:payments_attributes].first[:amount] = @order.total
+            if object_params[:payments_attributes]
+              object_params[:payments_attributes].first[:amount] = @order.total.to_s
             end
           end
-          object_params
+
+          if params[:order]
+            params.require(:order).permit(permitted_checkout_attributes)
+          else
+            {}
+          end
+        end
+
+        def user_id
+          params[:order][:user_id] if params[:order]
         end
 
         def nested_params
@@ -81,8 +89,8 @@ module Spree
           false
         end
 
-        def load_order(lock = false)
-          @order = Spree::Order.lock(lock).find_by_number!(params[:id])
+        def load_order
+          @order = Spree::Order.find_by!(number: params[:id])
           raise_insufficient_quantity and return if @order.insufficient_stock_lines.present?
           @order.state = params[:state] if params[:state]
           state_callback(:before)
@@ -97,7 +105,7 @@ module Spree
         end
 
         def raise_insufficient_quantity
-          respond_with(@order, :default_template => 'spree/api/orders/insufficient_quantity')
+          respond_with(@order, default_template: 'spree/api/orders/insufficient_quantity')
         end
 
         def state_callback(before_or_after = :before)
@@ -105,20 +113,15 @@ module Spree
           send(method_name) if respond_to?(method_name, true)
         end
 
-        def before_address
-          @order.bill_address ||= Address.default
-          @order.ship_address ||= Address.default
-        end
-
         def before_payment
           @order.payments.destroy_all if request.put?
         end
 
         def next!(options={})
           if @order.valid? && @order.next
-            render 'spree/api/orders/show', :status => options[:status] || 200
+            render 'spree/api/orders/show', status: options[:status] || 200
           else
-            render 'spree/api/orders/could_not_transition', :status => 422
+            render 'spree/api/orders/could_not_transition', status: 422
           end
         end
 
@@ -127,7 +130,7 @@ module Spree
             coupon_result = Spree::Promo::CouponApplicator.new(@order).apply
             if !coupon_result[:coupon_applied?]
               @coupon_message = coupon_result[:error]
-              respond_with(@order, :default_template => 'spree/api/orders/could_not_apply_coupon')
+              respond_with(@order, default_template: 'spree/api/orders/could_not_apply_coupon')
               return true
             end
           end

data/app/controllers/spree/api/config_controller.rb

@@ -0,0 +1,6 @@
+module Spree
+  module Api
+    class ConfigController < Spree::Api::BaseController
+    end
+  end
+end

data/app/controllers/spree/api/countries_controller.rb

@@ -1,19 +1,19 @@
 module Spree
   module Api
     class CountriesController < Spree::Api::BaseController
-      skip_before_filter :check_for_user_or_api_key
-      skip_before_filter :authenticate_user
 
       def index
-        @countries = Country.ransack(params[:q]).result.
-                     includes(:states).order("#{Spree::Country.quoted_table_name}.name ASC").
+        @countries = Country.accessible_by(current_ability, :read).ransack(params[:q]).result.
+                     includes(:states).order('name ASC').
                      page(params[:page]).per(params[:per_page])
-
-        respond_with(@countries)
+        country = Country.order("updated_at ASC").last
+        if stale?(country)
+          respond_with(@countries)
+        end
       end
 
       def show
-        @country = Country.find(params[:id])
+        @country = Country.accessible_by(current_ability, :read).find(params[:id])
         respond_with(@country)
       end
     end

data/app/controllers/spree/api/images_controller.rb

@@ -1,32 +1,34 @@
 module Spree
   module Api
     class ImagesController < Spree::Api::BaseController
-      respond_to :json
 
       def show
-        @image = Image.find(params[:id])
+        @image = Image.accessible_by(current_ability, :read).find(params[:id])
         respond_with(@image)
       end
 
       def create
         authorize! :create, Image
-        @image = Image.create(params[:image])
+        @image = Image.create(image_params)
         respond_with(@image, :status => 201, :default_template => :show)
       end
 
       def update
-        authorize! :update, Image
-        @image = Image.find(params[:id])
-        @image.update_attributes(params[:image])
+        @image = Image.accessible_by(current_ability, :update).find(params[:id])
+        @image.update_attributes(image_params)
         respond_with(@image, :default_template => :show)
       end
 
       def destroy
-        authorize! :delete, Image
-        @image = Image.find(params[:id])
+        @image = Image.accessible_by(current_ability, :destroy).find(params[:id])
         @image.destroy
         respond_with(@image, :status => 204)
       end
+
+      private
+        def image_params
+          params.require(:image).permit(permitted_image_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/inventory_units_controller.rb

@@ -8,10 +8,10 @@ module Spree
       end
 
       def update
-        authorize! :update, Order
+        authorize! :update, inventory_unit.order
 
         inventory_unit.transaction do
-          if inventory_unit.update_attributes(params[:inventory_unit])
+          if inventory_unit.update_attributes(inventory_unit_params)
             fire
             render :show, :status => 200
           else
@@ -23,7 +23,7 @@ module Spree
       private
 
       def inventory_unit
-        @inventory_unit ||= InventoryUnit.find(params[:id])
+        @inventory_unit ||= InventoryUnit.accessible_by(current_ability, :read).find(params[:id])
       end
 
       def prepare_event
@@ -42,7 +42,10 @@ module Spree
       def fire
         inventory_unit.send("#{@event}!") if @event
       end
-
+      
+      def inventory_unit_params
+        params.require(:inventory_unit).permit(permitted_inventory_unit_attributes)
+      end
     end
   end
 end

data/app/controllers/spree/api/line_items_controller.rb

@@ -1,42 +1,42 @@
 module Spree
   module Api
     class LineItemsController < Spree::Api::BaseController
-      respond_to :json
 
       def create
-        authorize! :update, order, order_token
-        @line_item = order.line_items.build(params[:line_item], :as => :api)
+        variant = Spree::Variant.find(params[:line_item][:variant_id])
+        @line_item = order.contents.add(variant, params[:line_item][:quantity])
         if @line_item.save
-          @order.ensure_updated_shipments
-          respond_with(@line_item, :status => 201, :default_template => :show)
+          respond_with(@line_item, status: 201, default_template: :show)
         else
           invalid_resource!(@line_item)
         end
       end
 
       def update
-        authorize! :update, order, order_token
         @line_item = order.line_items.find(params[:id])
-        if @line_item.update_attributes(params[:line_item], :as => :api)
-          @order.ensure_updated_shipments
-          respond_with(@line_item, :default_template => :show)
+        if @line_item.update_attributes(line_item_params)
+          respond_with(@line_item, default_template: :show)
         else
           invalid_resource!(@line_item)
         end
       end
 
       def destroy
-        authorize! :update, order, order_token
         @line_item = order.line_items.find(params[:id])
         @line_item.destroy
-        respond_with(@line_item, :status => 204)
+        respond_with(@line_item, status: 204)
       end
 
       private
 
-      def order
-        @order ||= Order.find_by_number!(params[:order_id])
-      end
+        def order
+          @order ||= Spree::Order.find_by!(number: params[:order_id])
+          authorize! :update, @order, params[:order_token]
+        end
+
+        def line_item_params
+          params.require(:line_item).permit(:quantity, :variant_id)
+        end
     end
   end
 end

data/app/controllers/spree/api/option_types_controller.rb

@@ -3,21 +3,21 @@ module Spree
     class OptionTypesController < Spree::Api::BaseController
       def index
         if params[:ids]
-          @option_types = Spree::OptionType.where(:id => params[:ids].split(','))
+          @option_types = Spree::OptionType.accessible_by(current_ability, :read).where(:id => params[:ids].split(','))
         else
-          @option_types = Spree::OptionType.scoped.ransack(params[:q]).result
+          @option_types = Spree::OptionType.accessible_by(current_ability, :read).load.ransack(params[:q]).result
         end
         respond_with(@option_types)
       end
 
       def show
-      	@option_type = Spree::OptionType.find(params[:id])
-      	respond_with(@option_type)
+        @option_type = Spree::OptionType.accessible_by(current_ability, :read).find(params[:id])
+        respond_with(@option_type)
       end
 
       def create
-      	authorize! :create, Spree::OptionType
-      	@option_type = Spree::OptionType.new(params[:option_type])
+        authorize! :create, Spree::OptionType
+        @option_type = Spree::OptionType.new(option_type_params)
         if @option_type.save
           render :show, :status => 201
         else
@@ -26,9 +26,8 @@ module Spree
       end
 
       def update
-        authorize! :update, Spree::OptionType
-        @option_type = Spree::OptionType.find(params[:id])
-        if @option_type.update_attributes(params[:option_type])
+        @option_type = Spree::OptionType.accessible_by(current_ability, :update).find(params[:id])
+        if @option_type.update_attributes(option_type_params)
           render :show
         else
           invalid_resource!(@option_type)
@@ -36,11 +35,15 @@ module Spree
       end
 
       def destroy
-        authorize! :destroy, Spree::OptionType
-        @option_type = Spree::OptionType.find(params[:id])
+        @option_type = Spree::OptionType.accessible_by(current_ability, :destroy).find(params[:id])
         @option_type.destroy
         render :text => nil, :status => 204
       end
+
+      private
+        def option_type_params
+          params.require(:option_type).permit(permitted_option_type_attributes)
+        end
     end
   end
 end

data/app/controllers/spree/api/option_values_controller.rb

@@ -11,13 +11,13 @@ module Spree
       end
 
       def show
-      	@option_value = scope.find(params[:id])
-      	respond_with(@option_value)
+        @option_value = scope.find(params[:id])
+        respond_with(@option_value)
       end
 
       def create
-      	authorize! :create, Spree::OptionValue
-      	@option_value = scope.new(params[:option_value])
+        authorize! :create, Spree::OptionValue
+        @option_value = scope.new(option_value_params)
         if @option_value.save
           render :show, :status => 201
         else
@@ -26,9 +26,8 @@ module Spree
       end
 
       def update
-        authorize! :update, Spree::OptionValue
-        @option_value = scope.find(params[:id])
-        if @option_value.update_attributes(params[:option_value])
+        @option_value = scope.accessible_by(current_ability, :update).find(params[:id])
+        if @option_value.update_attributes(option_value_params)
           render :show
         else
           invalid_resource!(@option_value)
@@ -36,8 +35,7 @@ module Spree
       end
 
       def destroy
-        authorize! :destroy, Spree::OptionValue
-        @option_value = scope.find(params[:id])
+        @option_value = scope.accessible_by(current_ability, :destroy).find(params[:id])
         @option_value.destroy
         render :text => nil, :status => 204
       end
@@ -46,11 +44,15 @@ module Spree
 
         def scope
           if params[:option_type_id]
-            @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values
+            @scope ||= Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability, :read)
           else
-            @scope ||= Spree::OptionValue.scoped
+            @scope ||= Spree::OptionValue.accessible_by(current_ability, :read).load
           end
         end
+
+        def option_value_params
+          params.require(:option_value).permit(permitted_option_type_attributes)
+        end
     end
   end
 end