RubyGems - spree_api - Versions diffs - 5.5.0.rc2 → 5.5.0.rc3 - Mend

spree_api 5.5.0.rc2 → 5.5.0.rc3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a94767b03984d4ebb7c65b91c9512aac96e909f9d2308f06ed1e96e53f2a3580
-  data.tar.gz: 8c0f0201d44ca50071cd273c932b497fcafd2f954f7d9e213772f4fe16595ab1
+  metadata.gz: 782979132fc5d443901d5df5881143bec024d695856ae2a321574004ae83ac1a
+  data.tar.gz: c8b368f528c51d9bb5772bdde7d743043c7bc5b85046e560219549254c42f6ca
 SHA512:
-  metadata.gz: b1ae1474848c3bd7fc3bea51374c1a523b4bf08e94d75f3ea82c60fa1ce43b812dccf2c37aae01c2225e9d3281c7d16868dd7b28431f30ad177913fbb085b7aa
-  data.tar.gz: 1830848629f174cf25342d0c3bc584aba47ea4365b890b623bf6df8a44bfed3bc6566e95cd264517e79379d8569ce66baf18ffd2be4186143a265a5ef81d1ef1
+  metadata.gz: a846e352c895c3df11ed61ee931b31ecea07f5d8183021bdd5aa5711907a7a199de928402601cebdab7ac3bb2ed241b1d4a8a2c692d759ffcac15b749df7ed3b
+  data.tar.gz: 626baa65dd040b25cd6cb8cf7308e601668012933a3a7e7f0d4e5e8cb0888e7424db6924e003f80f39278dfb762ae79435e5f078f8823a506db53c3692878a19

data/app/controllers/concerns/spree/api/v3/admin/role_grant_guard.rb CHANGED Viewed

@@ -2,49 +2,107 @@ module Spree
   module Api
     module V3
       module Admin
-        # Shared guard preventing role-assignment privilege escalation. Staff
-        # role grants (via admin_users#update and invitations#create) must not
-        # let a caller hand out the `admin` super-role unless they already hold
-        # it on the current store. API-key principals have no human identity to
-        # bound the grant, so they can never grant the admin role.
+        # Shared guard for staff role grants (admin_users#update and
+        # invitations#create). A grant is rejected when, in order:
         #
-        # Without this, any principal able to write staff (`write_settings`
-        # scope, or a `UserManagement`/`RoleManagement` JWT role) could promote
-        # an account to store super-admin. See the 2026-06 admin API security
-        # review (Vulns 2-4).
+        #   1. (opt-in) the caller can't `:create` a Spree::RoleUser — i.e. lacks
+        #      the RoleManagement permission set;
+        #   2. it includes the literal `admin` role and the caller does not hold
+        #      it on the current store;
+        #   3. it includes any role whose permission sets exceed the caller's own
+        #      (catches SuperUser-equivalent custom roles the name check misses).
+        #
+        # API-key principals hold no roles, so they can grant only roles that
+        # activate no permission sets.
         module RoleGrantGuard
           extend ActiveSupport::Concern
           private
           # @param role_ids [Array<Integer,String>] resolved (decoded) role ids
+          # @param require_role_management [Boolean] also require CanCanCan
+          #   authority to create a RoleUser. Set by `admin_users#update`, whose
+          #   own authorization is only `:update` on the user; the invitations
+          #   flow leaves it off (its gate is `manage Invitation`).
           # @return [Boolean] true if the request was rejected (caller should return)
-          def reject_unauthorized_role_grant!(role_ids)
+          def reject_unauthorized_role_grant!(role_ids, require_role_management: false)
             return false if role_ids.blank?
-            admin_role_id = Spree::Role.admin.pick(:id)
-            return false if admin_role_id.blank?
-            return false unless role_ids.map(&:to_s).include?(admin_role_id.to_s)
+            # The management gate runs whenever a role mutation is attempted —
+            # before resolving ids — so passing unknown ids can't slip the
+            # reconciliation (which would still remove the user's current roles)
+            # past a caller without role-management authority.
+            return true if require_role_management && reject_without_role_management!
+            roles = Spree::Role.where(id: role_ids.map(&:to_s)).to_a
+            return false if roles.empty?
+            return true if reject_admin_role_grant!(roles)
+            return true if reject_privilege_escalating_grant!(roles)
+            false
+          end
+          # For API-key principals CanCanCan is permissive (ScopedAuthorization is
+          # their gate), so this only constrains JWT admins.
+          def reject_without_role_management!
+            return false if scope_limited_principal?
+            return false if can?(:create, Spree::RoleUser)
+            deny_role_grant!('You are not authorized to assign roles.')
+          end
+          def reject_admin_role_grant!(roles)
+            return false unless roles.any? { |role| role.name == Spree::Role::ADMIN_ROLE }
             return false if caller_holds_admin_role?
+            deny_role_grant!('You cannot grant the admin role.')
+          end
+          # A caller holding the admin role bounds nothing; the literal admin role
+          # is already gated by reject_admin_role_grant!.
+          def reject_privilege_escalating_grant!(roles)
+            return false if caller_holds_admin_role?
+            caller_sets = Spree.permissions.permission_sets_for_roles(caller_role_names)
+            escalating = roles.reject { |role| grantable_within?(role, caller_sets) }
+            return false if escalating.empty?
+            deny_role_grant!("You cannot grant roles beyond your own privileges: #{escalating.map(&:name).join(', ')}")
+          end
+          # A role is grantable when every permission set it activates is one the
+          # caller already holds.
+          def grantable_within?(role, caller_sets)
+            (Spree.permissions.permission_sets_for(role.name) - caller_sets).empty?
+          end
+          # The caller's store-scoped role names, fetched once per request.
+          def caller_role_names
+            return @caller_role_names if defined?(@caller_role_names)
+            user = try_spree_current_user
+            @caller_role_names =
+              if user.respond_to?(:role_users)
+                user.role_users.where(resource: current_store).joins(:role).
+                  pluck("#{Spree::Role.table_name}.name")
+              else
+                []
+              end
+          end
+          def caller_holds_admin_role?
+            caller_role_names.include?(Spree::Role::ADMIN_ROLE)
+          end
+          def deny_role_grant!(message)
             render_error(
               code: Spree::Api::V3::ErrorHandler::ERROR_CODES[:access_denied],
-              message: 'You cannot grant the admin role.',
+              message: message,
               status: :forbidden
             )
             true
           end
-          # Mirrors how Spree::Ability activates the super-user permission set:
-          # admin-ness is decided by `spree_roles` membership (resource-agnostic),
-          # not by a per-store RoleUser. API-key principals have no user and so
-          # never count as holding the admin role.
-          def caller_holds_admin_role?
-            user = try_spree_current_user
-            return false unless user.respond_to?(:spree_roles)
-            user.spree_roles.exists?(name: Spree::Role::ADMIN_ROLE)
-          end
         end
       end
     end

data/app/controllers/concerns/spree/api/v3/admin_authentication.rb CHANGED Viewed

@@ -39,12 +39,34 @@ module Spree
             return true
           end
-          # Fall back to JWT authentication
-          require_authentication!
+          # Fall back to JWT authentication, then bind the admin to the store
+          # they hold a role on (the token itself is store-agnostic).
+          return false unless require_authentication!
+          require_store_membership!
         end
         private
+        # Rejects an authenticated JWT admin who has no role on +current_store+.
+        # API-key principals are already store-bound and skip this check.
+        def require_store_membership!
+          return true if current_user_member_of_store?
+          render_error(
+            code: ErrorHandler::ERROR_CODES[:access_denied],
+            message: 'You do not have access to this store.',
+            status: :forbidden
+          )
+          false
+        end
+        def current_user_member_of_store?
+          return false unless current_user.respond_to?(:role_users)
+          current_user.role_users.exists?(resource: current_store)
+        end
         def set_no_store_cache
           response.headers['Cache-Control'] = 'private, no-store'
         end

data/app/controllers/spree/api/v3/admin/admin_users_controller.rb CHANGED Viewed

@@ -35,8 +35,11 @@ module Spree
             # `nil` when the key is absent (leave roles untouched); an array
             # (possibly empty, to clear) when the client sends `role_ids`.
+            # `require_role_management:` — this action only authorizes `:update`
+            # on the user, so role assignment must be separately gated by the
+            # RoleManagement permission set, not by profile-edit rights.
             role_ids = role_ids_param if params.key?(:role_ids)
-            return if role_ids && reject_unauthorized_role_grant!(role_ids)
+            return if role_ids && reject_unauthorized_role_grant!(role_ids, require_role_management: true)
             if @resource.update(identity_params)
               apply_role_ids(role_ids) if role_ids

data/app/controllers/spree/api/v3/admin/api_keys_controller.rb CHANGED Viewed

@@ -8,6 +8,10 @@ module Spree
           # revoke or destroy higher-privileged keys.
           scoped_resource :api_keys
+          # Introspecting the credential you authenticated with never requires
+          # `read_api_keys` — any key can describe itself.
+          skip_scope_check! only: :current
           # POST /api/v3/admin/api_keys
           # Prevents scope amplification: a key minted via a secret API key can
           # only carry scopes that key already holds. A JWT admin is governed by
@@ -40,6 +44,27 @@ module Spree
             render json: serialize_resource(@resource)
           end
+          # GET /api/v3/admin/api_keys/current
+          # Describes the key that authenticated this request, including its
+          # live scopes — so a client (e.g. the `spree api` CLI) can show the
+          # real, current authority instead of a stale local snapshot. Only
+          # secret-key principals have a single key; a JWT admin does not.
+          #
+          # This is the secret-key half of "describe the current credential";
+          # the JWT-admin half is GET /api/v3/admin/me (see MeController), which
+          # returns the user + their CanCanCan permissions.
+          def current
+            unless current_api_key
+              return render_error(
+                code: ERROR_CODES[:record_not_found],
+                message: Spree.t(:api_key_no_current_key),
+                status: :not_found
+              )
+            end
+            render json: serialize_resource(current_api_key)
+          end
           protected
           def model_class
@@ -62,14 +87,14 @@ module Spree
             end
           end
-          # `key_type` is set on create only — flipping a publishable key to a
-          # secret one (or vice versa) would invalidate every consumer of the
-          # plaintext token. We strip it on update so that's impossible to do
-          # by accident through the API.
+          # `key_type` and `scopes` are create-only (scope immutability lives on
+          # Spree::ApiKey); update is limited to the human-facing `name`. Stripping
+          # them here keeps them out of mass assignment so a rename returns 200
+          # rather than 422.
           def permitted_params
-            attrs = params.permit(:name, :key_type, scopes: [])
-            attrs.delete(:key_type) if action_name == 'update'
-            attrs
+            return params.permit(:name) if action_name == 'update'
+            params.permit(:name, :key_type, scopes: [])
           end
           private

data/app/controllers/spree/api/v3/admin/channels_controller.rb CHANGED Viewed

@@ -49,14 +49,12 @@ module Spree
           private
-          # Deliberately not scoped through `for_store` — this endpoint is the
-          # path by which a product *enters* the store, so requiring an
-          # existing publication would block first-time onboarding. The
-          # cross-store guard runs one level up: `find_resource` already
-          # restricted the channel to `current_store`.
+          # Scoped to the current store: a product can only be published to a
+          # channel of the store that owns it (products are single-owner via
+          # `belongs_to :store`). Foreign product IDs are silently dropped.
           def scoped_product_ids
             ids = decode_prefixed_ids(params[:product_ids])
-            Spree::Product.accessible_by(current_ability, :update).where(id: ids).ids
+            current_store.products.accessible_by(current_ability, :update).where(id: ids).ids
           end
         end
       end

data/app/controllers/spree/api/v3/admin/coupon_codes_controller.rb CHANGED Viewed

@@ -19,8 +19,8 @@ module Spree
           end
           def set_parent
-            @parent = Spree::Promotion.accessible_by(current_ability, :show)
-                                      .find_by_prefix_id!(params[:promotion_id])
+            @parent = current_store.promotions.accessible_by(current_ability, :show)
+                                   .find_by_prefix_id!(params[:promotion_id])
           end
           def parent_association

data/app/controllers/spree/api/v3/admin/custom_fields_controller.rb CHANGED Viewed

@@ -54,7 +54,7 @@ module Spree
             raise ActiveRecord::RecordNotFound, 'Parent resource not found' unless parent_lookup
             @parent = parent_relation.find_by_prefix_id!(parent_lookup.value)
-            authorize!(:show, @parent)
+            authorize!(:update, @parent)
           end
           # Resolves the parent within the current store so a token for one

data/app/controllers/spree/api/v3/admin/customers/credit_cards_controller.rb CHANGED Viewed

@@ -10,6 +10,13 @@ module Spree
               :credit_cards
             end
+            # Customers are global; a saved card belongs to the store-scoped
+            # payment method it was created against, so the nested collection is
+            # bound to the current store's payment methods.
+            def scope
+              @parent.credit_cards.where(payment_method_id: current_store.payment_methods.select(:id))
+            end
             def model_class
               Spree::CreditCard
             end

data/app/controllers/spree/api/v3/admin/customers/store_credits_controller.rb CHANGED Viewed

@@ -67,6 +67,12 @@ module Spree
               :store_credits
             end
+            # Customers are global; store credits belong to a store, so the
+            # nested collection is bound to the current store.
+            def scope
+              @parent.store_credits.for_store(current_store)
+            end
             def model_class
               Spree::StoreCredit
             end

data/app/controllers/spree/api/v3/admin/me_controller.rb CHANGED Viewed

@@ -11,7 +11,24 @@ module Spree
           # the permissions list to decide which UI elements to show or hide.
           # The actual authorization check is still enforced server-side by
           # CanCanCan — the SPA list is purely for UX.
+          #
+          # This is the JWT-admin half of "describe the current credential"; the
+          # secret-key half is GET /api/v3/admin/api_keys/current (see
+          # ApiKeysController#current), which returns the key + its scopes.
+          #
+          # A request authenticated by a secret API key has no Spree user to
+          # describe, so it gets a 404 pointing at the key endpoint rather than
+          # a 500 from serializing a nil user — mirroring how #current 404s for
+          # a JWT principal that has no single key.
           def show
+            unless current_user
+              return render_error(
+                code: ERROR_CODES[:record_not_found],
+                message: Spree.t(:me_no_current_user),
+                status: :not_found
+              )
+            end
             render json: {
               user: admin_user_serializer.new(current_user, params: serializer_params).to_h,
               permissions: serialize_permissions(current_ability)

data/app/controllers/spree/api/v3/admin/media_controller.rb CHANGED Viewed

@@ -34,7 +34,7 @@ module Spree
           def set_parent
             @product = current_store.products.find_by_prefix_id!(params[:product_id])
-            authorize!(:show, @product)
+            authorize!(:update, @product)
             @parent = if params[:variant_id].present?
                         @product.variants_including_master.find_by_prefix_id!(params[:variant_id])

data/app/controllers/spree/api/v3/admin/orders/adjustments_controller.rb CHANGED Viewed

@@ -4,8 +4,6 @@ module Spree
       module Admin
         module Orders
           class AdjustmentsController < BaseController
-            scoped_resource :orders
             protected
             def model_class

data/app/controllers/spree/api/v3/admin/orders/base_controller.rb CHANGED Viewed

@@ -8,6 +8,8 @@ module Spree
             before_action :authorize_order_access!
+            scoped_resource :orders
             protected
             def set_parent

data/app/controllers/spree/api/v3/admin/orders/fulfillments_controller.rb CHANGED Viewed

@@ -57,11 +57,11 @@ module Spree
             # PATCH /api/v3/admin/orders/:order_id/fulfillments/:id/split
             def split
               with_order_lock do
-                variant = Spree::Variant.find_by_prefix_id!(params[:variant_id])
+                variant = current_store.variants.find_by_prefix_id!(params[:variant_id])
                 quantity = params[:quantity].to_i
                 stock_location = if params[:stock_location_id].present?
-                                   Spree::StockLocation.find_by_prefix_id!(params[:stock_location_id])
+                                   Spree::StockLocation.accessible_by(current_ability, :show).find_by_prefix_id!(params[:stock_location_id])
                                  else
                                    @resource.stock_location
                                  end
@@ -93,8 +93,10 @@ module Spree
               :shipments
             end
+            # State changes go through the dedicated `fulfill`/`cancel`/`resume`
+            # member actions, not mass assignment.
             def permitted_params
-              params.permit(:tracking, :selected_shipping_rate_id, :stock_location_id, :state)
+              params.permit(:tracking, :selected_shipping_rate_id, :stock_location_id)
             end
           end
         end

data/app/controllers/spree/api/v3/admin/orders/gift_cards_controller.rb CHANGED Viewed

@@ -4,8 +4,6 @@ module Spree
       module Admin
         module Orders
           class GiftCardsController < BaseController
-            scoped_resource :gift_cards
             skip_before_action :set_resource, raise: false
             # POST /api/v3/admin/orders/:order_id/gift_cards

data/app/controllers/spree/api/v3/admin/orders/items_controller.rb CHANGED Viewed

@@ -4,8 +4,6 @@ module Spree
       module Admin
         module Orders
           class ItemsController < BaseController
-            scoped_resource :orders
             # POST /api/v3/admin/orders/:order_id/items
             def create
               with_order_lock do

data/app/controllers/spree/api/v3/admin/orders/payments_controller.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module Spree
             # The source must belong to the customer assigned to the order.
             def create
               with_order_lock do
-                payment_method = Spree::PaymentMethod.find_by_prefix_id!(params[:payment_method_id])
+                payment_method = current_store.payment_methods.accessible_by(current_ability, :show).find_by_prefix_id!(params[:payment_method_id])
                 @resource = @parent.payments.build(
                   amount: params[:amount] || @parent.order_total_after_store_credit,
                   payment_method: payment_method

data/app/controllers/spree/api/v3/admin/orders/refunds_controller.rb CHANGED Viewed

@@ -9,9 +9,9 @@ module Spree
             # POST /api/v3/admin/orders/:order_id/refunds
             def create
               with_order_lock do
-                payment = @parent.payments.find_by_prefix_id!(params[:payment_id])
-                reason = Spree::RefundReason.find_by_prefix_id!(params[:refund_reason_id]) if params[:refund_reason_id].present?
-                reason ||= Spree::RefundReason.first
+                payment = @parent.payments.accessible_by(current_ability, :update).find_by_prefix_id!(params[:payment_id])
+                reason = Spree::RefundReason.accessible_by(current_ability, :show).find_by_prefix_id!(params[:refund_reason_id]) if params[:refund_reason_id].present?
+                reason ||= Spree::RefundReason.accessible_by(current_ability, :show).first
                 @resource = payment.refunds.build(
                   amount: params[:amount],

data/app/controllers/spree/api/v3/admin/orders/store_credits_controller.rb CHANGED Viewed

@@ -4,8 +4,6 @@ module Spree
       module Admin
         module Orders
           class StoreCreditsController < BaseController
-            scoped_resource :store_credits
             skip_before_action :set_resource, raise: false
             # POST /api/v3/admin/orders/:order_id/store_credits

data/app/controllers/spree/api/v3/admin/payment_methods_controller.rb CHANGED Viewed

@@ -60,11 +60,9 @@ module Spree
           private
-          # New payment methods get scoped to the current store automatically.
+          # New payment methods are created through the current store.
           def build_subclassed_resource(klass, attrs)
-            resource = klass.new(attrs)
-            resource.stores = [current_store] if resource.stores.empty?
-            resource
+            current_store.payment_methods.build(attrs.merge(type: klass.sti_name))
           end
         end
       end

data/app/controllers/spree/api/v3/admin/prices_controller.rb CHANGED Viewed

@@ -35,7 +35,13 @@ module Spree
               )
             end
-            foreign = foreign_rows(rows)
+            store_variant_ids = store_variants.where(id: rows.map { |r| r[:variant_id] }).ids.map(&:to_s).to_set
+            store_price_list_ids = store_price_lists.where(id: rows.filter_map { |r| r[:price_list_id] }).ids.map(&:to_s).to_set
+            foreign = rows.each_with_index.filter_map do |row, idx|
+              variant_ok = store_variant_ids.include?(row[:variant_id].to_s)
+              price_list_ok = row[:price_list_id].blank? || store_price_list_ids.include?(row[:price_list_id].to_s)
+              { index: idx } unless variant_ok && price_list_ok
+            end
             if foreign.any?
               return render_error(
                 code: 'invalid_prices',
@@ -91,14 +97,26 @@ module Spree
             false
           end
+          # Resolves variant_id / price_list_id through the current store's
+          # scopes so a foreign or unknown id 404s instead of binding the
+          # price to another store's record.
           def permitted_params
-            normalize_params(
-              params.permit(:variant_id, :currency, :amount, :compare_at_amount, :price_list_id)
-            )
+            permitted = params.permit(:variant_id, :currency, :amount, :compare_at_amount, :price_list_id)
+            permitted[:variant_id] = store_variants.find_by_prefix_id!(permitted[:variant_id]).id if permitted[:variant_id].present?
+            permitted[:price_list_id] = store_price_lists.find_by_prefix_id!(permitted[:price_list_id]).id if permitted[:price_list_id].present?
+            permitted
           end
           private
+          def store_variants
+            current_store.variants.accessible_by(current_ability, :update)
+          end
+          def store_price_lists
+            current_store.price_lists.accessible_by(current_ability, :update)
+          end
           def bulk_record_count_key
             :price_count
           end
@@ -132,24 +150,6 @@ module Spree
             Spree::PrefixedId.prefixed_id?(value) ? Spree::PrefixedId.decode_prefixed_id(value) : value
           end
-          # Rejects rows whose variant or price list belongs to another store.
-          # `Spree::Prices::BulkUpsert` writes rows keyed on the raw variant_id
-          # with no ownership check, so the store boundary is enforced here.
-          def foreign_rows(rows)
-            variant_ids = rows.map { |r| r[:variant_id] }.compact.uniq
-            price_list_ids = rows.map { |r| r[:price_list_id] }.compact.uniq
-            store_variant_ids = current_store.variants.where(id: variant_ids).pluck(:id).map(&:to_s).to_set
-            store_price_list_ids = Spree::PriceList.for_store(current_store).where(id: price_list_ids).pluck(:id).map(&:to_s).to_set
-            rows.each_with_index.filter_map do |row, idx|
-              variant_ok = store_variant_ids.include?(row[:variant_id].to_s)
-              price_list_ok = row[:price_list_id].blank? || store_price_list_ids.include?(row[:price_list_id].to_s)
-              { index: idx } unless variant_ok && price_list_ok
-            end
-          end
         end
       end
     end

data/app/controllers/spree/api/v3/admin/products/variants_controller.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module Spree
             def permitted_params
               params.permit(
-                :sku, :barcode, :price, :compare_at_price,
+                :sku, :barcode,
                 :cost_price, :cost_currency,
                 :weight, :height, :width, :depth, :weight_unit, :dimensions_unit,
                 :track_inventory, :tax_category_id, :position,

data/app/controllers/spree/api/v3/admin/promotion_actions_controller.rb CHANGED Viewed

@@ -58,8 +58,8 @@ module Spree
           def set_parent
             return if %w[types calculators].include?(action_name)
-            @parent = Spree::Promotion.accessible_by(current_ability, :show)
-                                      .find_by_prefix_id!(params[:promotion_id])
+            @parent = current_store.promotions.accessible_by(current_ability, :update)
+                                   .find_by_prefix_id!(params[:promotion_id])
           end
           def parent_association

data/app/controllers/spree/api/v3/admin/promotion_rules_controller.rb CHANGED Viewed

@@ -36,8 +36,8 @@ module Spree
           def set_parent
             return if action_name == 'types'
-            @parent = Spree::Promotion.accessible_by(current_ability, :show)
-                                      .find_by_prefix_id!(params[:promotion_id])
+            @parent = current_store.promotions.accessible_by(current_ability, :update)
+                                   .find_by_prefix_id!(params[:promotion_id])
           end
           def parent_association

data/app/controllers/spree/api/v3/admin/stock_items_controller.rb CHANGED Viewed

@@ -28,6 +28,13 @@ module Spree
           def apply_collection_sort(collection)
             collection.order(Spree::StockItem.arel_table[:id].asc)
           end
+          # Stock items are auto-created against a (variant, stock_location)
+          # pair and never re-pointed, so update only touches the count and
+          # backorder flag — not the variant or location FKs.
+          def permitted_params
+            params.permit(:count_on_hand, :backorderable, metadata: {})
+          end
         end
       end
     end

data/app/controllers/spree/api/v3/admin/stock_locations_controller.rb CHANGED Viewed

@@ -15,6 +15,12 @@ module Spree
             Spree.api.admin_stock_location_serializer
           end
+          # Stock locations are shared across stores, so writes are store-wide
+          # administration: reads need `read_stock`, writes need `write_settings`.
+          def scoped_resource_name
+            read_actions.include?(action_name) ? :stock : :settings
+          end
           def scope
             super.order_default
           end

data/app/controllers/spree/api/v3/admin/stock_transfers_controller.rb CHANGED Viewed

@@ -11,9 +11,10 @@ module Spree
           def create
             authorize!(:create, model_class)
-            destination = Spree::StockLocation.find_by_prefix_id!(params[:destination_location_id])
+            stock_locations = Spree::StockLocation.accessible_by(current_ability, :show)
+            destination = stock_locations.find_by_prefix_id!(params[:destination_location_id])
             source = params[:source_location_id].present? ?
-              Spree::StockLocation.find_by_prefix_id!(params[:source_location_id]) : nil
+              stock_locations.find_by_prefix_id!(params[:source_location_id]) : nil
             variants_map = build_variants_map
             if variants_map.empty?
@@ -63,7 +64,7 @@ module Spree
               hash[decoded.to_i] = entry[:quantity].to_i if decoded
             end
-            Spree::Variant.where(id: quantities_by_id.keys).each_with_object({}) do |variant, acc|
+            current_store.variants.accessible_by(current_ability, :update).where(id: quantities_by_id.keys).each_with_object({}) do |variant, acc|
               quantity = quantities_by_id[variant.id]
               acc[variant] = quantity if quantity&.positive?
             end

data/app/controllers/spree/api/v3/admin/tags_controller.rb CHANGED Viewed

@@ -3,24 +3,32 @@ module Spree
     module V3
       module Admin
         class TagsController < BaseController
+          # The required scope depends on the requested `taggable_type`, so it's
+          # resolved per request rather than via a static `scoped_resource`.
+          # `authorize_taggable_scope!` enforces it for API-key principals.
           skip_scope_check!
+          before_action :authorize_taggable_scope!, only: :index
           MAX_RESULTS = 50
+          # Maps a taggable type to the read scope an API key must hold to
+          # enumerate its tag vocabulary. Types absent from this map require
+          # `read_all`.
+          def self.scope_for_taggable_type
+            {
+              'Spree::Product' => 'read_products',
+              'Spree::Order' => 'read_orders',
+              Spree.user_class.to_s => 'read_customers'
+            }
+          end
           def index
-            taggable_type = params[:taggable_type].to_s
-            unless allowed_taggable_types.include?(taggable_type)
-              render_error(
-                code: 'invalid_taggable_type',
-                message: "taggable_type must be one of #{allowed_taggable_types.join(', ')}",
-                status: :unprocessable_content
-              )
-              return
-            end
+            return unless valid_taggable_type?
             scope = ActsAsTaggableOn::Tag.
                     joins(:taggings).
-                    where(ActsAsTaggableOn.taggings_table => { taggable_type: taggable_type, context: 'tags' }).
+                    where(ActsAsTaggableOn.taggings_table => taggings_conditions).
                     distinct.
                     order(:name).
                     limit(MAX_RESULTS)
@@ -37,6 +45,48 @@ module Spree
           private
+          def taggable_type
+            params[:taggable_type].to_s
+          end
+          def valid_taggable_type?
+            return true if allowed_taggable_types.include?(taggable_type)
+            render_error(
+              code: 'invalid_taggable_type',
+              message: "taggable_type must be one of #{allowed_taggable_types.join(', ')}",
+              status: :unprocessable_content
+            )
+            false
+          end
+          # Tagging filter. `Spree::Order` carries a `tenant` (store_id) column
+          # via `acts_as_taggable_tenant`, so its tag vocabulary is bounded to
+          # the current store; other taggables fall back to the type filter.
+          def taggings_conditions
+            conditions = { taggable_type: taggable_type, context: 'tags' }
+            conditions[:tenant] = current_store.id.to_s if taggable_type == 'Spree::Order'
+            conditions
+          end
+          # Per-type scope check for API-key principals: a key listing product
+          # tags needs `read_products`, order tags `read_orders`, etc. JWT
+          # admins are gated by store membership + CanCanCan, not scopes.
+          def authorize_taggable_scope!
+            return unless current_api_key
+            return unless allowed_taggable_types.include?(taggable_type)
+            required = self.class.scope_for_taggable_type.fetch(taggable_type, 'read_all')
+            return if current_api_key.has_scope?(required)
+            render_error(
+              code: Spree::Api::V3::ErrorHandler::ERROR_CODES[:access_denied],
+              message: "API key lacks scope: #{required}",
+              status: :forbidden,
+              details: { required_scope: required }
+            )
+          end
           # Sourced from `Spree.taggable_types` (registered in
           # `Spree::Core::Engine`'s after_initialize block). Apps extend the
           # list in an initializer without overriding this controller:

data/config/routes.rb CHANGED Viewed

@@ -135,7 +135,10 @@ Spree::Core::Engine.add_routes do
             patch :resend
           end
         end
-        resources :api_keys, only: [:index, :show, :create, :destroy] do
+        resources :api_keys, only: [:index, :show, :create, :update, :destroy] do
+          collection do
+            get :current
+          end
           member do
             patch :revoke
           end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 5.5.0.rc2
+  version: 5.5.0.rc3
 platform: ruby
 authors:
 - Vendo Connect Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-06-15 00:00:00.000000000 Z
+date: 2026-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rswag-specs
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.5.0.rc2
+        version: 5.5.0.rc3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.5.0.rc2
+        version: 5.5.0.rc3
 description: Spree's API
 email:
 - hello@spreecommerce.org
@@ -353,9 +353,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.5.0.rc2
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.5.0.rc3
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.5.0.rc2
+  source_code_uri: https://github.com/spree/spree/tree/v5.5.0.rc3
 post_install_message:
 rdoc_options: []
 require_paths: