spree_api_v1 4.5.0

data/app/controllers/spree/api/v1/checkouts_controller.rb

@@ -0,0 +1,106 @@
+module Spree
+  module Api
+    module V1
+      class CheckoutsController < Spree::Api::V1::BaseController
+        before_action :load_order_with_lock, only: [:next, :advance, :update]
+
+        def next
+          authorize! :update, @order, order_token
+          @order.next!
+          respond_with(@order, default_template: 'spree/api/v1/orders/show', status: 200)
+        rescue StateMachines::InvalidTransition
+          respond_with(@order, default_template: 'spree/api/v1/orders/could_not_transition', status: 422)
+        end
+
+        def advance
+          authorize! :update, @order, order_token
+          while @order.next; end
+          respond_with(@order, default_template: 'spree/api/v1/orders/show', status: 200)
+        end
+
+        def update
+          authorize! :update, @order, order_token
+
+          if @order.update_from_params(params, permitted_checkout_attributes, request.headers.env)
+            if current_api_user.has_spree_role?('admin') && user_id.present?
+              @order.associate_user!(Spree.user_class.find(user_id))
+            end
+
+            log_state_changes if params[:state]
+
+            return if after_update_attributes
+
+            if @order.completed? || @order.next
+              state_callback(:after)
+              respond_with(@order, default_template: 'spree/api/v1/orders/show')
+            else
+              respond_with(@order, default_template: 'spree/api/v1/orders/could_not_transition', status: 422)
+            end
+          else
+            invalid_resource!(@order)
+          end
+        end
+
+        private
+
+        def user_id
+          params[:order][:user_id] if params[:order]
+        end
+
+        # Should be overridden if you have areas of your checkout that don't match
+        # up to a step within checkout_steps, such as a registration step
+        def skip_state_validation?
+          false
+        end
+
+        def load_order(lock = false)
+          @order = Spree::Order.lock(lock).find_by!(number: params[:id])
+          raise_insufficient_quantity and return if @order.insufficient_stock_lines.present?
+          @order.state = params[:state] if params[:state]
+          state_callback(:before)
+        end
+
+        def load_order_with_lock
+          load_order(true)
+        end
+
+        def raise_insufficient_quantity
+          respond_with(@order, default_template: 'spree/api/v1/orders/insufficient_quantity', status: 422)
+        end
+
+        def state_callback(before_or_after = :before)
+          method_name = :"#{before_or_after}_#{@order.state}"
+          send(method_name) if respond_to?(method_name, true)
+        end
+
+        def after_update_attributes
+          if params[:order] && params[:order][:coupon_code].present?
+            handler = PromotionHandler::Coupon.new(@order)
+            handler.apply
+
+            if handler.error.present?
+              @coupon_message = handler.error
+              respond_with(@order, default_template: 'spree/api/v1/orders/could_not_apply_coupon', status: 422)
+              return true
+            end
+          end
+          false
+        end
+
+        def log_state_changes
+          if @order.previous_changes[:state]
+            @order.log_state_changes(
+              state_name: 'order',
+              old_state: @order.previous_changes[:state].first,
+              new_state: @order.previous_changes[:state].last
+            )
+          end
+        end
+
+        def order_id
+          super || params[:id]
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/classifications_controller.rb

@@ -0,0 +1,21 @@
+module Spree
+  module Api
+    module V1
+      class ClassificationsController < Spree::Api::V1::BaseController
+        def update
+          authorize! :update, Product
+          authorize! :update, Taxon
+          classification = Spree::Classification.find_by(
+            product_id: params[:product_id],
+            taxon_id: params[:taxon_id]
+          )
+          Spree::Dependencies.classification_reposition_service.constantize.call(
+            classification: classification,
+            position: params[:position]
+          )
+          head :ok
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/countries_controller.rb

@@ -0,0 +1,22 @@
+module Spree
+  module Api
+    module V1
+      class CountriesController < Spree::Api::V1::BaseController
+        skip_before_action :authenticate_user
+
+        def index
+          @countries = Country.accessible_by(current_ability).ransack(params[:q]).result.
+                       order('name ASC').
+                       page(params[:page]).per(params[:per_page])
+          country = Country.order('updated_at ASC').last
+          respond_with(@countries) if stale?(country)
+        end
+
+        def show
+          @country = Country.accessible_by(current_ability, :show).find(params[:id])
+          respond_with(@country)
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/credit_cards_controller.rb

@@ -0,0 +1,26 @@
+module Spree
+  module Api
+    module V1
+      class CreditCardsController < Spree::Api::V1::BaseController
+        before_action :user
+
+        def index
+          @credit_cards = user.
+                          credit_cards.
+                          accessible_by(current_ability).
+                          with_payment_profile.
+                          ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+          respond_with(@credit_cards)
+        end
+
+        private
+
+        def user
+          if params[:user_id].present?
+            @user ||= Spree.user_class.accessible_by(current_ability, :show).find(params[:user_id])
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/customer_returns_controller.rb

@@ -0,0 +1,25 @@
+module Spree
+  module Api
+    module V1
+      class CustomerReturnsController < Spree::Api::V1::BaseController
+        def index
+          collection(Spree::CustomerReturn)
+          respond_with(@collection)
+        end
+
+        private
+
+        def collection(resource)
+          return @collection if @collection.present?
+
+          params[:q] ||= {}
+
+          @collection = resource.all
+          # @search needs to be defined as this is passed to search_form_for
+          @search = @collection.ransack(params[:q])
+          @collection = @search.result.order(created_at: :desc).page(params[:page]).per(params[:per_page])
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/images_controller.rb

@@ -0,0 +1,58 @@
+module Spree
+  module Api
+    module V1
+      class ImagesController < Spree::Api::V1::BaseController
+        def index
+          @images = scope.images.accessible_by(current_ability)
+          respond_with(@images)
+        end
+
+        def show
+          @image = Image.accessible_by(current_ability, :show).find(params[:id])
+          respond_with(@image)
+        end
+
+        def new; end
+
+        def create
+          authorize! :create, Image
+          @image = scope.images.new(image_params)
+          if @image.save
+            respond_with(@image, status: 201, default_template: :show)
+          else
+            invalid_resource!(@image)
+          end
+        end
+
+        def update
+          @image = scope.images.accessible_by(current_ability, :update).find(params[:id])
+          if @image.update(image_params)
+            respond_with(@image, default_template: :show)
+          else
+            invalid_resource!(@image)
+          end
+        end
+
+        def destroy
+          @image = scope.images.accessible_by(current_ability, :destroy).find(params[:id])
+          @image.destroy
+          respond_with(@image, status: 204)
+        end
+
+        private
+
+        def image_params
+          params.require(:image).permit(permitted_image_attributes)
+        end
+
+        def scope
+          if params[:product_id]
+            Spree::Product.friendly.find(params[:product_id])
+          elsif params[:variant_id]
+            Spree::Variant.find(params[:variant_id])
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/inventory_units_controller.rb

@@ -0,0 +1,54 @@
+module Spree
+  module Api
+    module V1
+      class InventoryUnitsController < Spree::Api::V1::BaseController
+        before_action :prepare_event, only: :update
+
+        def show
+          @inventory_unit = inventory_unit
+          respond_with(@inventory_unit)
+        end
+
+        def update
+          authorize! :update, inventory_unit.order
+
+          inventory_unit.transaction do
+            if inventory_unit.update(inventory_unit_params)
+              fire
+              render :show, status: 200
+            else
+              invalid_resource!(inventory_unit)
+            end
+          end
+        end
+
+        private
+
+        def inventory_unit
+          @inventory_unit ||= InventoryUnit.accessible_by(current_ability, :show).find(params[:id])
+        end
+
+        def prepare_event
+          return unless @event = params[:fire]
+
+          can_event = "can_#{@event}?"
+
+          unless inventory_unit.respond_to?(can_event) &&
+              inventory_unit.send(can_event)
+            render plain: { exception: "cannot transition to #{@event}" }.to_json,
+                   status: 200
+            false
+          end
+        end
+
+        def fire
+          inventory_unit.send("#{@event}!") if @event
+        end
+
+        def inventory_unit_params
+          params.require(:inventory_unit).permit(permitted_inventory_unit_attributes)
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/line_items_controller.rb

@@ -0,0 +1,70 @@
+module Spree
+  module Api
+    module V1
+      class LineItemsController < Spree::Api::V1::BaseController
+        class_attribute :line_item_options
+
+        self.line_item_options = []
+
+        def new; end
+
+        def create
+          variant = Spree::Variant.find(params[:line_item][:variant_id])
+
+          @line_item = Spree::Dependencies.cart_add_item_service.constantize.call(order: order,
+                                                                                  variant: variant,
+                                                                                  quantity: params[:line_item][:quantity],
+                                                                                  options: line_item_params[:options]).value
+          if @line_item.errors.empty?
+            respond_with(@line_item, status: 201, default_template: :show)
+          else
+            invalid_resource!(@line_item)
+          end
+        end
+
+        def update
+          @line_item = find_line_item
+
+          if Spree::Dependencies.cart_update_service.constantize.call(order: @order, params: line_items_attributes).success?
+            @line_item.reload
+            respond_with(@line_item, default_template: :show)
+          else
+            invalid_resource!(@line_item)
+          end
+        end
+
+        def destroy
+          @line_item = find_line_item
+          Spree::Dependencies.cart_remove_line_item_service.constantize.call(order: @order, line_item: @line_item)
+
+          respond_with(@line_item, status: 204)
+        end
+
+        private
+
+        def order
+          @order ||= Spree::Order.includes(:line_items).find_by!(number: order_id)
+          authorize! :update, @order, order_token
+        end
+
+        def find_line_item
+          id = params[:id].to_i
+          order.line_items.detect { |line_item| line_item.id == id } or
+            raise ActiveRecord::RecordNotFound
+        end
+
+        def line_items_attributes
+          { line_items_attributes: {
+            id: params[:id],
+            quantity: params[:line_item][:quantity],
+            options: line_item_params[:options] || {}
+          } }
+        end
+
+        def line_item_params
+          params.require(:line_item).permit(:quantity, :variant_id, options: line_item_options)
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/option_types_controller.rb

@@ -0,0 +1,60 @@
+module Spree
+  module Api
+    module V1
+      class OptionTypesController < Spree::Api::V1::BaseController
+        def index
+          @option_types =  if params[:ids]
+                             Spree::OptionType.
+                               includes(:option_values).
+                               accessible_by(current_ability).
+                               where(id: params[:ids].split(','))
+                           else
+                             Spree::OptionType.
+                               includes(:option_values).
+                               accessible_by(current_ability).
+                               load.ransack(params[:q]).result
+                           end
+          respond_with(@option_types)
+        end
+
+        def show
+          @option_type = Spree::OptionType.accessible_by(current_ability, :show).find(params[:id])
+          respond_with(@option_type)
+        end
+
+        def new; end
+
+        def create
+          authorize! :create, Spree::OptionType
+          @option_type = Spree::OptionType.new(option_type_params)
+          if @option_type.save
+            render :show, status: 201
+          else
+            invalid_resource!(@option_type)
+          end
+        end
+
+        def update
+          @option_type = Spree::OptionType.accessible_by(current_ability, :update).find(params[:id])
+          if @option_type.update(option_type_params)
+            render :show
+          else
+            invalid_resource!(@option_type)
+          end
+        end
+
+        def destroy
+          @option_type = Spree::OptionType.accessible_by(current_ability, :destroy).find(params[:id])
+          @option_type.destroy
+          render plain: nil, status: 204
+        end
+
+        private
+
+        def option_type_params
+          params.require(:option_type).permit(permitted_option_type_attributes)
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/option_values_controller.rb

@@ -0,0 +1,62 @@
+module Spree
+  module Api
+    module V1
+      class OptionValuesController < Spree::Api::V1::BaseController
+        def index
+          @option_values = if params[:ids]
+                             scope.where(id: params[:ids])
+                           else
+                             scope.ransack(params[:q]).result.distinct
+                           end
+          respond_with(@option_values)
+        end
+
+        def show
+          @option_value = scope.find(params[:id])
+          respond_with(@option_value)
+        end
+
+        def new; end
+
+        def create
+          authorize! :create, Spree::OptionValue
+          @option_value = scope.new(option_value_params)
+          if @option_value.save
+            render :show, status: 201
+          else
+            invalid_resource!(@option_value)
+          end
+        end
+
+        def update
+          @option_value = scope.accessible_by(current_ability, :update).find(params[:id])
+          if @option_value.update(option_value_params)
+            render :show
+          else
+            invalid_resource!(@option_value)
+          end
+        end
+
+        def destroy
+          @option_value = scope.accessible_by(current_ability, :destroy).find(params[:id])
+          @option_value.destroy
+          render plain: nil, status: 204
+        end
+
+        private
+
+        def scope
+          @scope ||= if params[:option_type_id]
+                       Spree::OptionType.find(params[:option_type_id]).option_values.accessible_by(current_ability, :show)
+                     else
+                       Spree::OptionValue.accessible_by(current_ability, :show).load
+                     end
+        end
+
+        def option_value_params
+          params.require(:option_value).permit(permitted_option_value_attributes)
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/api/v1/orders_controller.rb

@@ -0,0 +1,160 @@
+module Spree
+  module Api
+    module V1
+      class OrdersController < Spree::Api::V1::BaseController
+        skip_before_action :authenticate_user, only: :apply_coupon_code
+
+        before_action :find_order, except: [:create, :mine, :current, :index, :update, :remove_coupon_code]
+
+        # Dynamically defines our stores checkout steps to ensure we check authorization on each step.
+        Order.checkout_steps.keys.each do |step|
+          define_method step do
+            find_order
+            authorize! :update, @order, params[:token]
+          end
+        end
+
+        def cancel
+          authorize! :update, @order, params[:token]
+          @order.canceled_by(current_api_user)
+          respond_with(@order, default_template: :show)
+        end
+
+        def approve
+          authorize! :approve, @order, params[:token]
+          @order.approved_by(current_api_user)
+          respond_with(@order, default_template: :show)
+        end
+
+        def create
+          authorize! :create, Spree::Order
+          if can?(:admin, Spree::Order)
+            order_user = if @current_user_roles.include?('admin') && order_params[:user_id]
+                           Spree.user_class.find(order_params[:user_id])
+                         else
+                           current_api_user
+                         end
+
+            import_params = if @current_user_roles.include?('admin')
+                              params[:order].present? ? params[:order].permit! : {}
+                            else
+                              order_params
+                            end
+
+            @order = Spree::Core::Importer::Order.import(order_user, import_params)
+
+            respond_with(@order, default_template: :show, status: 201)
+          else
+            @order = Spree::Order.create!(user: current_api_user, store: current_store)
+            if Cart::Update.call(order: @order, params: order_params).success?
+              respond_with(@order, default_template: :show, status: 201)
+            else
+              invalid_resource!(@order)
+            end
+          end
+        end
+
+        def empty
+          authorize! :update, @order, order_token
+          cart_empty_service.call(order: @order)
+          render plain: nil, status: 204
+        end
+
+        def index
+          authorize! :index, Order
+          @orders = Order.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+          respond_with(@orders)
+        end
+
+        def show
+          authorize! :show, @order, order_token
+          respond_with(@order)
+        end
+
+        def update
+          find_order(true)
+          authorize! :update, @order, order_token
+
+          if Cart::Update.call(order: @order, params: order_params).success?
+            user_id = params[:order][:user_id]
+            if current_api_user.has_spree_role?('admin') && user_id
+              @order.associate_user!(Spree.user_class.find(user_id))
+            end
+            respond_with(@order, default_template: :show)
+          else
+            invalid_resource!(@order)
+          end
+        end
+
+        def current
+          @order = find_current_order
+          if @order
+            respond_with(@order, default_template: :show, locals: { root_object: @order })
+          else
+            head :no_content
+          end
+        end
+
+        def mine
+          if current_api_user.persisted?
+            @orders = current_api_user.orders.reverse_chronological.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
+          else
+            render 'spree/api/errors/unauthorized', status: :unauthorized
+          end
+        end
+
+        def apply_coupon_code
+          find_order
+          authorize! :update, @order, order_token
+          @order.coupon_code = params[:coupon_code]
+          @handler = PromotionHandler::Coupon.new(@order).apply
+          status = @handler.successful? ? 200 : 422
+          render 'spree/api/v1/promotions/handler', status: status
+        end
+
+        def remove_coupon_code
+          find_order(true)
+          authorize! :update, @order, order_token
+          @handler = Spree::PromotionHandler::Coupon.new(@order).remove(params[:coupon_code])
+          status = @handler.successful? ? 200 : 404
+          render 'spree/api/v1/promotions/handler', status: status
+        end
+
+        private
+
+        def order_params
+          if params[:order]
+            normalize_params
+            params.require(:order).permit(permitted_order_attributes)
+          else
+            {}
+          end
+        end
+
+        def normalize_params
+          params[:order][:payments_attributes] = params[:order].delete(:payments) if params[:order][:payments]
+          params[:order][:shipments_attributes] = params[:order].delete(:shipments) if params[:order][:shipments]
+          params[:order][:line_items_attributes] = params[:order].delete(:line_items) if params[:order][:line_items]
+          params[:order][:ship_address_attributes] = params[:order].delete(:ship_address) if params[:order][:ship_address]
+          params[:order][:bill_address_attributes] = params[:order].delete(:bill_address) if params[:order][:bill_address]
+        end
+
+        def find_order(lock = false)
+          @order = Spree::Order.lock(lock).find_by!(number: params[:id])
+        end
+
+        def find_current_order
+          current_api_user ? current_api_user.orders.incomplete.order(:created_at).last : nil
+        end
+
+        def order_id
+          super || params[:id]
+        end
+
+        def cart_empty_service
+          Spree::Dependencies.cart_empty_service.constantize
+        end
+      end
+    end
+  end
+end