spree_api 2.1.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1fd56fb7c9cb4be0a012aac73a49541df13c15a8
-  data.tar.gz: 812a59cc1cb657b17da7ed45433a61e3dbeb355e
+  metadata.gz: 2b88f0bb66f6241fa750c60df09e559515380ff9
+  data.tar.gz: c8c8111f3b16f720c3219105faf7d5a912dc5c45
 SHA512:
-  metadata.gz: 0816177016ba6c6e6f911287b2dee7c3508938c8053ddf29d2f2fce86f79b6816fbebcd8cae725d66f55d775b0c241fa8e3965bf7e7ad4d9bee805411ea7e17f
-  data.tar.gz: c5ec8647be4cf1fa347456b8ae8ff58727c59c986aa15babb28d7d87ee22e08144d50c3b6841e3b7473854e3107e9880b338fe9fdc0bb23a0d899797f51e605d
+  metadata.gz: 1c330a76aaf9c02fdfc52aa1c5da7cec9e1d20bd4eb607ae622dd7b9c3898a389b9f6955c8b0d0f52fda7ae02c3e052e100863fcd5535a80d98897b2cd9753e9
+  data.tar.gz: 9676ad30355100421c95579e8089ef471f0bd267327887ab9582f081ea5731ca0c7034cb68d37139528e5325bb03419b02f3eb8fbf1b14153de34935a4cd72ff

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+## Spree 2.1.2 ##
+
+* States and countries endpoints now do not require authentication, even if it is forced with the `requires_authentication` setting. This is so the frontend's checkout address page can still work.
+
+    *Ryan Bigg*
+
+* You can now assign a location to a shipment when creating it through the orders API. f3ef2e1d46bc972442acbbcaae928e6ef2dc0eb5
+
+    *Washington Luiz*
+
+* Stock Items, Stock Movements and Stock Locations are now invisible to non-admin users.
+
+    *Ryan Bigg*
+
+* Fixed issue where X-Spree-Token header was being ignored. #3798
+
+    *Washington Luiz*
+
 ## Spree 2.1.0 ##
 
 * The Products API endpoint now returns an additional key called `shipping_category_id`, and also requires `shipping_category_id` on create.

data/app/controllers/spree/api/base_controller.rb

@@ -45,6 +45,15 @@ module Spree
         end.with_indifferent_access
       end
 
+      # users should be able to set price when importing orders via api
+      def permitted_line_item_attributes
+        if current_api_user.has_spree_role?("admin")
+          super << [:price]
+        else
+          super
+        end
+      end
+
       private
 
       def set_content_type
@@ -109,7 +118,7 @@ module Spree
       end
 
       def api_key
-        request.headers.env["X-Spree-Token"] || params[:token]
+        request.headers["X-Spree-Token"] || params[:token]
       end
       helper_method :api_key
 

data/app/controllers/spree/api/countries_controller.rb

@@ -1,6 +1,8 @@
 module Spree
   module Api
     class CountriesController < Spree::Api::BaseController
+      skip_before_filter :check_for_user_or_api_key
+      skip_before_filter :authenticate_user
 
       def index
         @countries = Country.accessible_by(current_ability, :read).ransack(params[:q]).result.

data/app/controllers/spree/api/orders_controller.rb

@@ -50,7 +50,11 @@ module Spree
         # hence the use of the update_line_items method, defined within order_decorator.rb.
         order_params.delete("line_items_attributes")
         if @order.update_attributes(order_params)
-          @order.update_line_items(params[:order][:line_items])
+          line_item_attributes = params[:order][:line_items].map do |id, attributes|
+            [id, attributes.slice(*permitted_line_item_attributes)]
+          end
+          line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
+          @order.update_line_items(line_item_attributes)
           @order.line_items.reload
           @order.update!
           respond_with(@order, default_template: :show)
@@ -72,6 +76,10 @@ module Spree
           end
         end
 
+        def permitted_order_attributes
+          super << [:import]
+        end
+
         def next!(options={})
           if @order.valid? && @order.next
             render :show, status: options[:status] || 200
@@ -88,7 +96,6 @@ module Spree
         def before_delivery
           @order.create_proposed_shipments
         end
-
     end
   end
 end

data/app/controllers/spree/api/payments_controller.rb

@@ -3,7 +3,7 @@ module Spree
     class PaymentsController < Spree::Api::BaseController
 
       before_filter :find_order
-      before_filter :find_payment, only: [:show, :authorize, :purchase, :capture, :void, :credit]
+      before_filter :find_payment, only: [:update, :show, :authorize, :purchase, :capture, :void, :credit]
 
       def index
         @payments = @order.payments.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -24,6 +24,17 @@ module Spree
         end
       end
 
+      def update
+        authorize! params[:action], @payment
+        if ! @payment.pending?
+          render 'update_forbidden', status: 403
+        elsif @payment.update_attributes(payment_params)
+          respond_with(@payment, default_template: :show)
+        else
+          invalid_resource!(@payment)
+        end
+      end
+
       def show
         respond_with(@payment)
       end
@@ -46,7 +57,7 @@ module Spree
 
       def credit
         if params[:amount].to_f > @payment.credit_allowed
-          render 'spree/api/payments/credit_over_limit', status: 422
+          render 'credit_over_limit', status: 422
         else
           perform_payment_action(:credit, params[:amount])
         end

data/app/controllers/spree/api/states_controller.rb

@@ -2,6 +2,8 @@ module Spree
   module Api
     class StatesController < Spree::Api::BaseController
       skip_before_filter :set_expiry
+      skip_before_filter :check_for_user_or_api_key
+      skip_before_filter :authenticate_user
 
       def index
         @states = scope.ransack(params[:q]).result.

data/app/controllers/spree/api/stock_items_controller.rb

@@ -63,7 +63,8 @@ module Spree
       end
 
       def scope
-        @stock_location.stock_items.accessible_by(current_ability, :read).includes(:variant => :product)
+        includes = {:variant => [{ :option_values => :option_type }, :product] }
+        @stock_location.stock_items.accessible_by(current_ability, :read).includes(includes)
       end
 
       def stock_item_params

data/app/controllers/spree/api/stock_locations_controller.rb

@@ -2,6 +2,7 @@ module Spree
   module Api
     class StockLocationsController < Spree::Api::BaseController
       def index
+        authorize! :read, StockLocation
         @stock_locations = StockLocation.accessible_by(current_ability, :read).order('name ASC').ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_locations)
       end

data/app/controllers/spree/api/stock_movements_controller.rb

@@ -4,6 +4,7 @@ module Spree
       before_filter :stock_location, except: [:update, :destroy]
 
       def index
+        authorize! :read, StockMovement
         @stock_movements = scope.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
         respond_with(@stock_movements)
       end

data/app/helpers/spree/api/api_helpers.rb

@@ -28,7 +28,7 @@ module Spree
       end
 
       def option_value_attributes
-        [:id, :name, :presentation, :option_type_name, :option_type_id]
+        [:id, :name, :presentation, :option_type_name, :option_type_id, :option_type_presentation]
       end
 
       def order_attributes
@@ -44,7 +44,7 @@ module Spree
       end
 
       def payment_attributes
-        [:id, :source_type, :source_id, :amount, :payment_method_id, :response_code, :state, :avs_response, :created_at, :updated_at]
+        [:id, :source_type, :source_id, :amount, :display_amount, :payment_method_id, :response_code, :state, :avs_response, :created_at, :updated_at]
       end
 
       def payment_method_attributes
@@ -113,4 +113,3 @@ module Spree
     end
   end
 end
-

data/app/models/spree/option_value_decorator.rb

@@ -2,4 +2,8 @@ Spree::OptionValue.class_eval do
   def option_type_name
     option_type.name
   end
+
+  def option_type_presentation
+    option_type.presentation
+  end
 end

data/app/models/spree/order_decorator.rb

@@ -1,28 +1,34 @@
 Spree::Order.class_eval do
   def self.build_from_api(user, params)
-    completed_at = params.delete(:completed_at)
-    line_items = params.delete(:line_items_attributes) || {}
-    shipments = params.delete(:shipments_attributes) || []
-    payments = params.delete(:payments_attributes) || []
-    adjustments = params.delete(:adjustments_attributes) || []
+    begin
+      ensure_country_id_from_api params[:ship_address_attributes]
+      ensure_state_id_from_api params[:ship_address_attributes]
+      ensure_country_id_from_api params[:bill_address_attributes]
+      ensure_state_id_from_api params[:bill_address_attributes]
 
-    ensure_country_id_from_api params[:ship_address_attributes]
-    ensure_state_id_from_api params[:ship_address_attributes]
+      order = create!
+      order.associate_user!(user)
 
-    ensure_country_id_from_api params[:bill_address_attributes]
-    ensure_state_id_from_api params[:bill_address_attributes]
+      order.create_shipments_from_api params.delete(:shipments_attributes) || []
+      order.create_line_items_from_api params.delete(:line_items_attributes) || {}
+      order.create_adjustments_from_api params.delete(:adjustments_attributes) || []
+      order.create_payments_from_api params.delete(:payments_attributes) || []
+      order.complete_from_api params.delete(:completed_at)
 
-    order = create!(params)
-    order.associate_user!(user)
+      destroy_automatic_taxes_on_import(order, params)
+      order.update_attributes!(params)
 
-    order.create_shipments_from_api(shipments)
-    order.create_line_items_from_api(line_items)
-    order.create_adjustments_from_api(adjustments)
-    order.create_payments_from_api(payments)
-    order.complete_from_api(completed_at)
+      order.reload
+    rescue Exception => e
+      order.destroy if order && order.persisted?
+      raise e.message
+    end
+  end
 
-    order.save!
-    order.reload
+  def self.destroy_automatic_taxes_on_import(order, params)
+    if params.delete :import
+      order.adjustments.tax.destroy_all
+    end
   end
 
   def complete_from_api(completed_at)
@@ -37,6 +43,7 @@ Spree::Order.class_eval do
       begin
         shipment = shipments.build
         shipment.tracking = s[:tracking]
+        shipment.stock_location = Spree::StockLocation.find_by_name!(s[:stock_location])
 
         inventory_units = s[:inventory_units] || []
         inventory_units.each do |iu|

data/app/views/spree/api/payments/credit_over_limit.v1.rabl

@@ -1,2 +1,2 @@
 object false
-node(:error) { I18n.t(:credit_over_limit, :limit => @payment.credit_allowed, :scope => 'spree.api') }
+node(:error) { I18n.t(:credit_over_limit, :limit => @payment.credit_allowed, :scope => 'spree.api.payment') }

data/app/views/spree/api/payments/new.v1.rabl

@@ -3,4 +3,3 @@ node(:attributes) { [*payment_attributes] }
 child @payment_methods => :payment_methods do
   attributes *payment_method_attributes
 end
-

data/app/views/spree/api/payments/update_forbidden.v1.rabl

@@ -0,0 +1,2 @@
+object false
+node(:error) { I18n.t(:update_forbidden, :state => @payment.state, :scope => 'spree.api.payment') }

data/config/locales/en.yml

@@ -7,7 +7,6 @@ en:
       invalid_resource: "Invalid resource. Please fix errors and try again."
       resource_not_found: "The resource you were looking for could not be found."
       gateway_error: "There was a problem with the payment gateway: %{text}"
-      credit_over_limit: "This payment can only be credited up to %{limit}. Please specify an amount less than or equal to this number."
       access: "API Access"
       key: "Key"
       clear_key: "Clear key"
@@ -19,6 +18,9 @@ en:
       order:
         could_not_transition: "The order could not be transitioned. Please fix the errors and try again."
         invalid_shipping_method: "Invalid shipping method specified."
+      payment:
+        credit_over_limit: "This payment can only be credited up to %{limit}. Please specify an amount less than or equal to this number."
+        update_forbidden: "This payment cannot be updated because it is %{state}."
       shipment:
         cannot_ready: "Cannot ready shipment."
       stock_location_required: "A stock_location_id parameter must be provided in order to retrieve stock movements."

data/config/routes.rb

@@ -1,4 +1,4 @@
-Spree::Core::Engine.routes.draw do
+Spree::Core::Engine.add_routes do
   namespace :admin do
     resources :users do
       member do

data/lib/spree/api/responders/rabl_template.rb

@@ -14,7 +14,7 @@ module Spree
         end
 
         def template
-          request.headers.env['X-Spree-Template'] || controller.params[:template] || options[:default_template]
+          request.headers['X-Spree-Template'] || controller.params[:template] || options[:default_template]
         end
       end
     end

data/spec/controllers/spree/api/base_controller_spec.rb

@@ -29,7 +29,7 @@ describe Spree::Api::BaseController do
     end
 
     it "with an invalid API key" do
-      request.env["X-Spree-Token"] = "fake_key"
+      request.headers["X-Spree-Token"] = "fake_key"
       get :index, {}
       json_response.should == { "error" => "Invalid API key (fake_key) specified." }
       response.status.should == 401

data/spec/controllers/spree/api/checkouts_controller_spec.rb

@@ -29,6 +29,12 @@ module Spree
         json_response['number'].should be_present
         response.status.should == 201
       end
+
+      it "assigns email when creating a new order" do
+        api_post :create, :order => { :email => "guest@spreecommerce.com" }
+        expect(json_response['email']).not_to eq controller.current_api_user
+        expect(json_response['email']).to eq "guest@spreecommerce.com"
+      end
     end
 
     context "PUT 'update'" do
@@ -176,6 +182,14 @@ module Spree
         response.status.should == 200
       end
 
+      # Regression test for #3784
+      it "can update the special instructions for an order" do
+        instructions = "Don't drop it. (Please)"
+        api_put :update, :id => order.to_param, :order_token => order.token,
+          :order => { :special_instructions => instructions }
+        expect(json_response['special_instructions']).to eql(instructions)
+      end
+
       context "as an admin" do
         sign_in_as_admin!
         it "can assign a user to the order" do

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -5,6 +5,8 @@ module Spree
     render_views
 
     let!(:order) { create(:order) }
+    let(:variant) { create(:variant) }
+
     let(:attributes) { [:number, :item_total, :display_total, :total,
                         :state, :adjustment_total,
                         :user_id, :created_at, :updated_at,
@@ -12,6 +14,23 @@ module Spree
                         :payment_state, :email, :special_instructions,
                         :total_quantity, :display_item_total] }
 
+    let(:address_params) { { :country_id => Country.first.id, :state_id => State.first.id } }
+
+    let(:billing_address) { { :firstname => "Tiago", :lastname => "Motta", :address1 => "Av Paulista",
+                              :city => "Sao Paulo", :zipcode => "1234567", :phone => "12345678",
+                              :country_id => Country.first.id, :state_id => State.first.id} }
+
+    let(:shipping_address) { { :firstname => "Tiago", :lastname => "Motta", :address1 => "Av Paulista",
+                               :city => "Sao Paulo", :zipcode => "1234567", :phone => "12345678",
+                               :country_id => Country.first.id, :state_id => State.first.id} }
+
+    let!(:payment_method) { create(:payment_method) }
+
+    let(:current_api_user) do
+      user = Spree.user_class.new(:email => "spree@example.com")
+      user.generate_spree_api_key!
+      user
+    end
 
     before do
       stub_authentication!
@@ -68,22 +87,7 @@ module Spree
       assert_unauthorized!
     end
 
-    let(:address_params) { { :country_id => Country.first.id, :state_id => State.first.id } }
-    let(:billing_address) { { :firstname => "Tiago", :lastname => "Motta", :address1 => "Av Paulista",
-                              :city => "Sao Paulo", :zipcode => "1234567", :phone => "12345678",
-                              :country_id => Country.first.id, :state_id => State.first.id} }
-    let(:shipping_address) { { :firstname => "Tiago", :lastname => "Motta", :address1 => "Av Paulista",
-                               :city => "Sao Paulo", :zipcode => "1234567", :phone => "12345678",
-                               :country_id => Country.first.id, :state_id => State.first.id} }
-    let!(:payment_method) { create(:payment_method) }
-    let(:current_api_user) do
-      user = Spree.user_class.new(:email => "spree@example.com")
-      user.generate_spree_api_key!
-      user
-    end
-
     it "can create an order" do
-      variant = create(:variant)
       api_post :create, :order => { :line_items => { "0" => { :variant_id => variant.to_param, :quantity => 5 } } }
       response.status.should == 201
       order = Order.last
@@ -99,7 +103,6 @@ module Spree
 
     # Regression test for #3404
     it "can specify additional parameters for a line item" do
-      variant = create(:variant)
       Order.should_receive(:create!).and_return(order = Spree::Order.new)
       order.stub(:associate_user!)
       order.stub_chain(:contents, :add).and_return(line_item = double('LineItem'))
@@ -116,9 +119,45 @@ module Spree
       response.status.should == 201
     end
 
+    it "cannot arbitrarily set the line items price" do
+      api_post :create, :order => {
+        :line_items => {
+          "0" => {
+            :price => 33.0, :variant_id => variant.to_param, :quantity => 5
+          }
+        }
+      }
+
+      expect(response.status).to eq 201
+      expect(Order.last.line_items.first.price.to_f).to eq(variant.price)
+    end
+
+    context "import" do
+      let(:tax_rate) { create(:tax_rate, amount: 0.05, calculator: Calculator::DefaultTax.create) }
+      let(:other_variant) { create(:variant) }
+
+      let(:order_params) do
+        {
+          :line_items => {
+            "0" => { :variant_id => variant.to_param, :quantity => 5 },
+            "1" => { :variant_id => other_variant.to_param, :quantity => 5 }
+          }
+        }
+      end
+
+      before { Zone.stub default_tax: tax_rate.zone }
+
+      it "doesnt persist any automatic tax adjustment" do
+        expect {
+          api_post :create, :order => order_params.merge(:import => true)
+        }.not_to change { Adjustment.count }
+
+        expect(response.status).to eq 201
+      end
+    end
+
     # Regression test for #3404
     it "does not update line item needlessly" do
-      variant = create(:variant)
       Order.should_receive(:create!).and_return(order = Spree::Order.new)
       order.stub(:associate_user!)
       order.stub_chain(:contents, :add).and_return(line_item = double('LineItem'))
@@ -180,6 +219,19 @@ module Spree
         json_response['line_items'].first['quantity'].should == 10
       end
 
+      it "cannot change the price of an existing line item" do
+        api_put :update, :id => order.to_param, :order => {
+          :line_items => {
+            line_item.id => { :price => 0 }
+          }
+        }
+
+        response.status.should == 200
+        json_response['line_items'].count.should == 1
+        expect(json_response['line_items'].first['price'].to_f).to_not eq(0)
+        expect(json_response['line_items'].first['price'].to_f).to eq(line_item.variant.price)
+      end
+
       it "can add billing address" do
         api_put :update, :id => order.to_param, :order => { :bill_address_attributes => billing_address }
 
@@ -357,6 +409,21 @@ module Spree
         end
       end
 
+      context "creation" do
+        it "can arbitrarily set the line items price" do
+          api_post :create, :order => {
+            :line_items => {
+              "0" => {
+                :price => 33.0, :variant_id => variant.to_param, :quantity => 5
+              }
+            }
+          }
+
+          expect(response.status).to eq 201
+          expect(Order.last.line_items.first.price.to_f).to eq(33.0)
+        end
+      end
+
       context "can cancel an order" do
         before do
           Spree::Config[:mails_from] = "spree@example.com"