spree_api 2.1.6 → 2.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 02fd5d06ef9c3f4ff35f710a66e4d1b187d08abd
-  data.tar.gz: f3623943eb622ff032d8ee517767233fe97dd5c1
+  metadata.gz: 2bdf54d9702da778a98e961e7ecaa93c91113a4e
+  data.tar.gz: f1527d859f7fddb7ef7cd6537dfc43fe1572b754
 SHA512:
-  metadata.gz: 78ba1c0714fab0a471d20015f35c6cc828306b4b4a9588f8688e0c938cc56be97ee42d887db371f8bf345926c3a05049170fe5b6bcfae14f41c51a975bd70268
-  data.tar.gz: a9b071acd933a1767c3b5686e02e15221fa8578d229c74fb6063ce6c901f16b8102e1552199b5ebd5c575ff732d61eb906e0656d134e0e98ee16da0bd6c52e68
+  metadata.gz: 4584dce0d9b973efebf1f7baa373f92116a1f511de54c2a0a37a9cea0ad73907f863b691e9f254563af42bd168e2ac37074b90cd12d25862ad26145fa3bcf2d5
+  data.tar.gz: d14f69e5834c3e9bc213c583640b7375f4f6a04ec06ee0d3eb241267aadb00847c2479cd8b62e743bdea17cb23293e9424542005459e3fcd2ef08cc56156378d

data/app/controllers/spree/api/orders_controller.rb

@@ -28,6 +28,7 @@ module Spree
 
       def empty
         find_order
+        authorize! :update, @order, order_token
         @order.empty!
         @order.update!
         render text: nil, status: 200
@@ -41,6 +42,7 @@ module Spree
 
       def show
         find_order
+        authorize! :show, @order, order_token
         method = "before_#{@order.state}"
         send(method) if respond_to?(method, true)
         respond_with(@order)
@@ -48,6 +50,7 @@ module Spree
 
       def update
         find_order(true)
+        authorize! :update, @order, order_token
         # Parsing line items through as an update_attributes call in the API will result in
         # many line items for the same variant_id being created. We must be smarter about this,
         # hence the use of the update_line_items method, defined within order_decorator.rb.
@@ -84,6 +87,7 @@ module Spree
       # https://github.com/spree/spree/blob/2-1-stable/frontend/app/controllers/spree/orders_controller.rb#L100
       def apply_coupon_code
         find_order
+        authorize! :update, @order, order_token
         @order.coupon_code = params[:coupon_code]
         @order.save
 
@@ -162,7 +166,6 @@ module Spree
 
         def find_order(lock = false)
           @order = Spree::Order.lock(lock).find_by!(number: params[:id])
-          authorize! :update, @order, order_token
         end
 
         def before_delivery

data/spec/controllers/spree/api/base_controller_spec.rb

@@ -39,6 +39,24 @@ describe Spree::Api::BaseController do
     end
   end
 
+  context "when validating based on an order token" do
+    let!(:order) { create :order }
+
+    context "with a correct order token" do
+      it "succeeds" do
+        api_get :index, order_token: order.token, order_id: order.number
+        response.status.should == 200
+      end
+    end
+
+    context "with an incorrect order token" do
+      it "returns unauthorized" do
+        api_get :index, order_token: "NOT_A_TOKEN", order_id: order.number
+        response.status.should == 401
+      end
+    end
+  end
+
   context "cannot make a request to the API" do
     it "without an API key" do
       api_get :index

data/spec/controllers/spree/api/checkouts_controller_spec.rb

@@ -173,7 +173,8 @@ module Spree
         order.update_column(:state, "payment")
         api_put :update, :id => order.to_param, :order_token => order.token,
           :order => { :payments_attributes => [{ :payment_method_id => @payment_method.id.to_s }],
-                      :payment_source => { @payment_method.id.to_s => { } } }
+                      :payment_source => { @payment_method.id.to_s => { first_name: "Spree" } } }
+
         response.status.should == 422
         cc_errors = json_response['errors']['payments.Credit Card']
         cc_errors.should include("Number can't be blank")

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'spree/testing_support/bar_ability'
 
 module Spree
   describe Api::OrdersController do
@@ -116,6 +117,20 @@ module Spree
       response.status.should == 200
     end
 
+    context "with BarAbility registered" do
+      before { Spree::Ability.register_ability(::BarAbility) }
+      after { Spree::Ability.remove_ability(::BarAbility) }
+
+      it "can view an order" do
+        user = mock_model(Spree::LegacyUser)
+        user.stub(:has_spree_role?).with('bar').and_return(true)
+        user.stub(:has_spree_role?).with('admin').and_return(false)
+        controller.stub try_spree_current_user: user
+        api_get :show, :id => order.to_param
+        response.status.should == 200
+      end
+    end
+
     it "cannot cancel an order that doesn't belong to them" do
       order.update_attribute(:completed_at, Time.now)
       order.update_attribute(:shipment_state, "ready")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 2.1.6
+  version: 2.1.7
 platform: ruby
 authors:
 - Ryan Bigg
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-25 00:00:00.000000000 Z
+date: 2014-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: spree_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.6
+        version: 2.1.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.6
+        version: 2.1.7
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement
@@ -254,7 +254,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.2.0
 signing_key: 
 specification_version: 4
 summary: Spree's API