spree_core 5.3.6 → 5.4.0.beta

data/app/models/spree/order.rb

@@ -8,6 +8,8 @@ require_dependency 'spree/order/gift_card'
 
 module Spree
   class Order < Spree.base_class
+    has_prefix_id :or  # Stripe: or_
+
     PAYMENT_STATES = %w(balance_due credit_owed failed paid void)
     SHIPMENT_STATES = %w(backorder canceled partial pending ready shipped)
     LINE_ITEM_REMOVABLE_STATES = %w(cart address delivery payment confirm resumed)
@@ -26,7 +28,6 @@ module Spree
     include Spree::Order::GiftCard
 
     include Spree::NumberIdentifier
-    include Spree::NumberAsParam
     include Spree::SingleStoreResource
 
     publishes_lifecycle_events
@@ -98,7 +99,7 @@ module Spree
     acts_as_taggable_on :tags
     acts_as_taggable_tenant :store_id
 
-    ASSOCIATED_USER_ATTRIBUTES = [:user_id, :email, :created_by_id, :bill_address_id, :ship_address_id]
+    ASSOCIATED_USER_ATTRIBUTES = [:user_id, :email, :bill_address_id, :ship_address_id]
 
     belongs_to :user, class_name: "::#{Spree.user_class}", optional: true, autosave: true
     belongs_to :created_by, class_name: "::#{Spree.admin_user_class}", optional: true
@@ -121,6 +122,7 @@ module Spree
       has_many :state_changes, as: :stateful, class_name: 'Spree::StateChange'
       has_many :line_items, -> { order(:created_at) }, inverse_of: :order, class_name: 'Spree::LineItem'
       has_many :payments, class_name: 'Spree::Payment'
+      has_many :payment_sessions, inverse_of: :order, class_name: 'Spree::PaymentSession'
       has_many :return_authorizations, inverse_of: :order, class_name: 'Spree::ReturnAuthorization'
       has_many :adjustments, -> { order(:created_at) }, as: :adjustable, class_name: 'Spree::Adjustment'
     end
@@ -183,6 +185,7 @@ module Spree
     validates :shipment_total,       MONEY_VALIDATION
     validates :promo_total,          NEGATIVE_MONEY_VALIDATION
     validates :total,                MONEY_VALIDATION
+    validate :currency_must_be_supported_by_store
 
     delegate :update_totals, :persist_totals, to: :updater
     delegate :merge!, to: :merger
@@ -235,6 +238,36 @@ module Spree
       left_joins(:bill_address).where(arel_table[:email].lower.eq(query.downcase)).or(where(conditions.reduce(:or)))
     end
 
+    # Find an order by prefixed ID first, falling back to number, then integer id for backwards compatibility
+    # @param param [String] the prefixed ID, number, or integer id to search for
+    # @return [Spree::Order, nil] the found order or nil
+    def self.find_by_param(param)
+      return nil if param.blank?
+
+      # Try prefixed ID first (new format)
+      if param.to_s.include?('_')
+        decoded = decode_prefixed_id(param)
+        order = find_by(id: decoded) if decoded
+        return order if order
+      end
+
+      # Try number (legacy format)
+      order = find_by(number: param)
+      return order if order
+
+      # Fall back to id (numeric legacy format) - only if param looks like an integer
+      find_by(id: param) if param.to_s.match?(/\A\d+\z/)
+    end
+
+    # Find an order by prefixed ID first, falling back to number, then integer id for backwards compatibility
+    # Raises ActiveRecord::RecordNotFound if not found
+    # @param param [String] the prefixed ID, number, or integer id to search for
+    # @return [Spree::Order] the found order
+    # @raise [ActiveRecord::RecordNotFound] if order not found
+    def self.find_by_param!(param)
+      find_by_param(param) || raise(ActiveRecord::RecordNotFound.new("Couldn't find Order with param=#{param}"))
+    end
+
     # Use this method in other gems that wish to register their own custom logic
     # that should be called after Order#update
     def self.register_update_hook(hook)
@@ -275,9 +308,9 @@ module Spree
     # @return [Boolean]
     def order_refunded?
       return false if item_count.zero?
-      return false if refunds_total.zero?
 
-      payment_state.in?(%w[void failed]) || refunds_total == total_minus_store_credits - additional_tax_total.abs
+      (payment_state.in?(%w[void failed]) && refunds_total.positive?) ||
+        refunds_total == total_minus_store_credits - additional_tax_total.abs
     end
 
     def refunds_total
@@ -389,25 +422,13 @@ module Spree
     end
 
     # Associates the specified user with the order.
+    # Delegates to {Spree::Cart::Associate} service.
+    #
+    # @param user [Spree.user_class] the user to associate with the order
+    # @param override_email [Boolean] whether to override the order email with the user's email
+    # @return [Spree::ServiceModule::Result]
     def associate_user!(user, override_email = true)
-      self.user           = user
-      self.email          = user.email if override_email
-      # we need to check if user is of admin user class to avoid mismatch type error
-      # in a scenario where we have separate classes for admin and regular users
-      self.created_by   ||= user if user.is_a?(Spree.admin_user_class)
-      self.bill_address ||= user.bill_address
-      self.ship_address ||= user.ship_address
-
-      changes = slice(*ASSOCIATED_USER_ATTRIBUTES)
-
-      # immediately persist the changes we just made, but don't use save
-      # since we might have an invalid address associated
-      ActiveRecord::Base.connected_to(role: :writing) do
-        self.class.unscoped.where(id: self).update_all(changes)
-      end
-
-      # Manually publish update event since update_all bypasses callbacks
-      publish_event('order.updated') if changes.present?
+      Spree.cart_associate_service.call(guest_order: self, user: user, override_email: override_email)
     end
 
     def disassociate_user!
@@ -555,6 +576,10 @@ module Spree
       payments.valid.completed.size == payments.valid.size && payments.valid.sum(:amount) >= total
     end
 
+    def payment_methods
+      @payment_methods ||= store.payment_methods.active.available_on_front_end.select { |pm| pm.available_for_order?(self) }
+    end
+
     def available_payment_methods(store = nil)
       Spree::Deprecation.warn('`Order#available_payment_methods` is deprecated and will be removed in Spree 5.5. Use `collect_frontend_payment_methods` instead.')
 
@@ -752,30 +777,23 @@ module Spree
       !payments.risky.empty?
     end
 
+    # Cancels the order and records the canceler.
+    # Delegates to {Spree::Orders::Cancel} service.
+    #
+    # @param user [Spree.user_class, nil] the user who canceled the order
+    # @param canceled_at [Time, nil] the time of cancellation (defaults to current time)
+    # @return [Spree::ServiceModule::Result]
     def canceled_by(user, canceled_at = nil)
-      canceled_at ||= Time.current
-      changes = { canceler_id: user.id, canceled_at: canceled_at }
-
-      transaction do
-        update_columns(changes)
-        cancel!
-      end
-
-      # Manually publish update event since update_columns bypasses callbacks
-      publish_event('order.canceled')
+      Spree.order_cancel_service.call(order: self, canceler: user, canceled_at: canceled_at)
     end
 
-    def approved_by(user)
-      approved_at = Time.current
-      changes = { approver_id: user.id, approved_at: approved_at }
-
-      transaction do
-        approve!
-        update_columns(changes)
-      end
-
-      # Manually publish update event since update_columns bypasses callbacks
-      publish_event('order.approved')
+    # Approves the order and records the approver.
+    # Delegates to {Spree::Orders::Approve} service.
+    #
+    # @param user [Spree.user_class, nil] the user who approved the order
+    # @return [Spree::ServiceModule::Result]
+    def approved_by(user = nil)
+      Spree.order_approve_service.call(order: self, approver: user)
     end
 
     def approved?
@@ -806,11 +824,12 @@ module Spree
       publish_event('order.updated')
     end
 
+    # Approves the order without recording an approver.
+    # Delegates to {Spree::Orders::Approve} service.
+    #
+    # @return [Spree::ServiceModule::Result]
     def approve!
-      update_column(:considered_risky, false)
-
-      # Manually publish update event since update_column bypasses callbacks
-      publish_event('order.approved')
+      Spree.order_approve_service.call(order: self)
     end
 
     def tax_total
@@ -978,6 +997,15 @@ module Spree
       self.currency ||= store&.default_currency
     end
 
+    def currency_must_be_supported_by_store
+      return if currency.blank? || store.blank?
+
+      supported_codes = store.supported_currencies_list.map(&:iso_code)
+      unless supported_codes.include?(currency)
+        errors.add(:currency, Spree.t(:currency_not_supported_by_store))
+      end
+    end
+
     def collect_payment_methods
       Spree::Deprecation.warn('`Order#collect_payment_methods` is deprecated and will be removed in Spree 5.5. Use `collect_frontend_payment_methods` instead.')
 

data/app/models/spree/payment.rb

@@ -2,9 +2,10 @@ require_dependency 'spree/payment/processing'
 
 module Spree
   class Payment < Spree.base_class
+    has_prefix_id :py  # Stripe: py_
+
     include Spree::Core::NumberGenerator.new(prefix: 'P', letters: true, length: 7)
     include Spree::NumberIdentifier
-    include Spree::NumberAsParam
     include Spree::Metafields
     include Spree::Metadata
     if defined?(Spree::Security::Payments)
@@ -35,6 +36,10 @@ module Spree
     has_many :capture_events, class_name: 'Spree::PaymentCaptureEvent'
     has_many :refunds, inverse_of: :payment
 
+    has_one :payment_session, class_name: 'Spree::PaymentSession',
+            foreign_key: :external_id,
+            primary_key: :response_code
+
     validates :payment_method, presence: true
     validates :source, presence: true, if: :source_required?
     validate :payment_method_available_for_order, on: :create

data/app/models/spree/payment_capture_event.rb

@@ -1,5 +1,7 @@
 module Spree
   class PaymentCaptureEvent < Spree.base_class
+    has_prefix_id :pce
+
     belongs_to :payment, class_name: 'Spree::Payment'
 
     def display_amount

data/app/models/spree/payment_method.rb

@@ -1,9 +1,11 @@
 module Spree
   class PaymentMethod < Spree.base_class
+    has_prefix_id :pm  # Stripe: pm_
+
     acts_as_paranoid
     acts_as_list
 
-    include Spree::MultiStoreResource
+    include Spree::StoreScopedResource
     include Spree::Metafields
     include Spree::Metadata
     include Spree::DisplayOn
@@ -26,6 +28,8 @@ module Spree
     has_many :payments, class_name: 'Spree::Payment', inverse_of: :payment_method, dependent: :nullify
     has_many :credit_cards, class_name: 'Spree::CreditCard', dependent: :destroy # CCs are soft deleted
 
+    has_many :payment_sessions, class_name: 'Spree::PaymentSession', dependent: :destroy
+    has_many :payment_setup_sessions, class_name: 'Spree::PaymentSetupSession', dependent: :destroy
     has_many :gateway_customers, class_name: 'Spree::GatewayCustomer', dependent: :destroy
 
     def self.providers
@@ -45,6 +49,56 @@ module Spree
       raise ::NotImplementedError, 'You must implement payment_source_class method for this gateway.'
     end
 
+    # The class used for payment sessions with this payment method.
+    # Override in gateway subclasses to provide a provider-specific session class
+    # that inherits from Spree::PaymentSession (STI).
+    # nil means the payment method doesn't support payment sessions.
+    def payment_session_class
+      nil
+    end
+
+    # Creates a payment session via the provider.
+    # Override in gateway subclasses to implement provider-specific session creation.
+    def create_payment_session(order:, amount: nil, external_data: {})
+      raise ::NotImplementedError, 'You must implement create_payment_session method for this gateway.'
+    end
+
+    # Updates an existing payment session via the provider.
+    # Override in gateway subclasses to implement provider-specific session updates.
+    def update_payment_session(payment_session:, amount: nil, external_data: {})
+      raise ::NotImplementedError, 'You must implement update_payment_session method for this gateway.'
+    end
+
+    # Completes a payment session via the provider.
+    # Override in gateway subclasses to implement provider-specific session completion.
+    def complete_payment_session(payment_session:, params: {})
+      raise ::NotImplementedError, 'You must implement complete_payment_session method for this gateway.'
+    end
+
+    # Whether this payment method supports setup sessions (saving payment methods for future use).
+    # Override in gateway subclasses that support tokenization without a payment.
+    def setup_session_supported?
+      false
+    end
+
+    # The class used for payment setup sessions with this payment method.
+    # Override in gateway subclasses to provide a provider-specific session class.
+    def payment_setup_session_class
+      nil
+    end
+
+    # Creates a payment setup session via the provider for saving a payment method.
+    # Override in gateway subclasses to implement provider-specific setup session creation.
+    def create_payment_setup_session(customer:, external_data: {})
+      raise ::NotImplementedError, "#{self.class.name} does not implement #create_payment_setup_session"
+    end
+
+    # Completes a payment setup session via the provider.
+    # Override in gateway subclasses to implement provider-specific setup session completion.
+    def complete_payment_setup_session(setup_session:, params: {})
+      raise ::NotImplementedError, "#{self.class.name} does not implement #complete_payment_setup_session"
+    end
+
     def method_type
       type.demodulize.downcase
     end
@@ -73,6 +127,10 @@ module Spree
       true
     end
 
+    def session_required?
+      false
+    end
+
     def show_in_admin?
       true
     end

data/app/models/spree/payment_session.rb

@@ -0,0 +1,109 @@
+module Spree
+  class PaymentSession < Spree.base_class
+    has_prefix_id :ps
+
+    acts_as_paranoid
+
+    include Spree::Metafields
+
+    self.event_prefix = 'payment_session'
+
+    publishes_lifecycle_events
+
+    belongs_to :order, class_name: 'Spree::Order'
+    belongs_to :payment_method, class_name: 'Spree::PaymentMethod'
+    belongs_to :customer, class_name: Spree.user_class.to_s, optional: true
+
+    has_one :payment, class_name: 'Spree::Payment',
+            foreign_key: :response_code,
+            primary_key: :external_id
+
+    validates :order, :payment_method, :external_id, :status, :currency, presence: true
+    validates :external_id, uniqueness: { scope: [:order_id, :payment_method_id] }
+    validates :amount, presence: true, numericality: { greater_than: 0 }
+
+    state_machine :status, initial: :pending do
+      state :pending
+      state :processing
+      state :completed
+      state :failed
+      state :canceled
+      state :expired
+
+      event :process do
+        transition pending: :processing
+      end
+
+      event :complete do
+        transition [:pending, :processing] => :completed
+      end
+
+      event :fail do
+        transition [:pending, :processing] => :failed
+      end
+
+      event :cancel do
+        transition [:pending, :processing] => :canceled
+      end
+
+      event :expire do
+        transition [:pending, :processing] => :expired
+      end
+
+      after_transition to: :processing, do: :publish_processing_event
+      after_transition to: :completed, do: :publish_completed_event
+      after_transition to: :failed, do: :publish_failed_event
+      after_transition to: :canceled, do: :publish_canceled_event
+      after_transition to: :expired, do: :publish_expired_event
+    end
+
+    scope :not_expired, -> { where('expires_at IS NULL OR expires_at > ?', Time.current) }
+    scope :active, -> { not_expired.where(status: %w[pending processing]) }
+
+    before_validation :set_defaults_from_order, on: :create
+
+    delegate :store, to: :order
+
+    def amount_in_cents
+      money.cents
+    end
+
+    def money
+      @money ||= Spree::Money.new(amount, currency: currency)
+    end
+
+    def expired?
+      expires_at.present? && expires_at <= Time.current
+    end
+
+    private
+
+    def publish_processing_event
+      publish_event('payment_session.processing')
+    end
+
+    def publish_completed_event
+      publish_event('payment_session.completed')
+    end
+
+    def publish_failed_event
+      publish_event('payment_session.failed')
+    end
+
+    def publish_canceled_event
+      publish_event('payment_session.canceled')
+    end
+
+    def publish_expired_event
+      publish_event('payment_session.expired')
+    end
+
+    def set_defaults_from_order
+      return unless order
+
+      self.amount ||= order.total_minus_store_credits if amount.blank? || amount.zero?
+      self.currency ||= order.currency
+      self.customer ||= order.user
+    end
+  end
+end

data/app/models/spree/payment_sessions/bogus.rb

@@ -0,0 +1,4 @@
+module Spree
+  class PaymentSessions::Bogus < PaymentSession
+  end
+end

data/app/models/spree/payment_setup_session.rb

@@ -0,0 +1,79 @@
+module Spree
+  class PaymentSetupSession < Spree.base_class
+    has_prefix_id :pss
+
+    acts_as_paranoid
+
+    include Spree::Metafields
+
+    self.event_prefix = 'payment_setup_session'
+
+    publishes_lifecycle_events
+
+    belongs_to :customer, class_name: Spree.user_class.to_s, optional: true
+    belongs_to :payment_method, class_name: 'Spree::PaymentMethod'
+    belongs_to :payment_source, polymorphic: true, optional: true
+
+    validates :payment_method, :status, presence: true
+    validates :external_id, uniqueness: { scope: :payment_method_id }, allow_nil: true
+
+    state_machine :status, initial: :pending do
+      state :pending
+      state :processing
+      state :completed
+      state :failed
+      state :canceled
+      state :expired
+
+      event :process do
+        transition pending: :processing
+      end
+
+      event :complete do
+        transition [:pending, :processing] => :completed
+      end
+
+      event :fail do
+        transition [:pending, :processing] => :failed
+      end
+
+      event :cancel do
+        transition [:pending, :processing] => :canceled
+      end
+
+      event :expire do
+        transition [:pending, :processing] => :expired
+      end
+
+      after_transition to: :processing, do: :publish_processing_event
+      after_transition to: :completed, do: :publish_completed_event
+      after_transition to: :failed, do: :publish_failed_event
+      after_transition to: :canceled, do: :publish_canceled_event
+      after_transition to: :expired, do: :publish_expired_event
+    end
+
+    scope :active, -> { where(status: %w[pending processing]) }
+
+    private
+
+    def publish_processing_event
+      publish_event('payment_setup_session.processing')
+    end
+
+    def publish_completed_event
+      publish_event('payment_setup_session.completed')
+    end
+
+    def publish_failed_event
+      publish_event('payment_setup_session.failed')
+    end
+
+    def publish_canceled_event
+      publish_event('payment_setup_session.canceled')
+    end
+
+    def publish_expired_event
+      publish_event('payment_setup_session.expired')
+    end
+  end
+end

data/app/models/spree/payment_source.rb

@@ -1,6 +1,8 @@
 # This model is used to store payment sources for non-credit card payments, eg wallet, account, etc.
 module Spree
   class PaymentSource < Spree.base_class
+    has_prefix_id :ps
+
     include Spree::Metafields
     include Spree::Metadata
     include Spree::PaymentSourceConcern

data/app/models/spree/permission_sets/default_customer.rb

@@ -39,6 +39,17 @@ module Spree
           !order.completed? && (order.user == user || order.token && token == order.token)
         end
 
+        # Line item management
+        can :create, Spree::LineItem do |line_item, token|
+          line_item.order.user == user || line_item.order.token && token == line_item.order.token
+        end
+        can :update, Spree::LineItem do |line_item, token|
+          !line_item.order.completed? && (line_item.order.user == user || line_item.order.token && token == line_item.order.token)
+        end
+        can :destroy, Spree::LineItem do |line_item, token|
+          !line_item.order.completed? && (line_item.order.user == user || line_item.order.token && token == line_item.order.token)
+        end
+
         # User account management - available to all users (including guests for their own record)
         can :create, Spree.user_class
         can [:show, :update, :destroy], Spree.user_class, id: user.id
@@ -49,6 +60,9 @@ module Spree
         # Credit card management
         can [:read, :destroy], Spree::CreditCard, user_id: user.id
 
+        # Gift card management - users can view their own gift cards
+        can :read, Spree::GiftCard, user_id: user.id
+
         # Wishlist management
         can :manage, Spree::Wishlist, user_id: user.id
         can :show, Spree::Wishlist do |wishlist|
@@ -60,6 +74,11 @@ module Spree
 
         # Invitation acceptance
         can :accept, Spree::Invitation, invitee_id: [user.id, nil], invitee_type: user.class.name, status: 'pending'
+
+        # Digital downloads - token-based access
+        can :show, Spree::DigitalLink do |digital_link, token|
+          digital_link.token == token
+        end
       end
     end
   end

data/app/models/spree/policy.rb

@@ -1,5 +1,7 @@
 module Spree
   class Policy < Spree.base_class
+    has_prefix_id :pol
+
     extend FriendlyId
     include Spree::TranslatableResource
 

data/app/models/spree/post.rb

@@ -1,5 +1,7 @@
 module Spree
   class Post < Spree.base_class
+    has_prefix_id :post
+
     include Spree::SingleStoreResource
     include Spree::Metafields
     extend FriendlyId

data/app/models/spree/post_category.rb

@@ -1,5 +1,7 @@
 module Spree
   class PostCategory < Spree.base_class
+    has_prefix_id :pcat
+
     include Spree::SingleStoreResource
     include Spree::Metafields
     extend FriendlyId

data/app/models/spree/price.rb

@@ -1,5 +1,7 @@
 module Spree
   class Price < Spree.base_class
+    has_prefix_id :price
+
     include Spree::VatPriceCalculation
 
     publishes_lifecycle_events
@@ -38,13 +40,13 @@ module Spree
     scope :discounted, -> { where('compare_at_amount > amount') }
     scope :base_prices, -> { where(price_list_id: nil) }
     scope :for_price_list, ->(price_list) { where(price_list_id: price_list) }
-    scope :for_products, ->(products, currency = nil) do
+    scope :for_products, lambda { |products, currency = nil|
       currency ||= Spree::Store.default.default_currency
 
       with_currency(currency).joins(:variant).where(
         Spree::Variant.table_name => { product_id: products }
       )
-    end
+    }
 
     extend DisplayMoney
     money_methods :amount, :price, :compare_at_amount
@@ -64,6 +66,12 @@ module Spree
       self[:amount] = amount.blank? ? nil : Spree::LocalizedNumber.parse(amount)
     end
 
+    # Returns the amount in cents
+    # @return [Integer]
+    def amount_in_cents
+      display_amount&.amount_in_cents
+    end
+
     def compare_at_money
       Spree::Money.new(compare_at_amount || 0, currency: currency)
     end
@@ -74,6 +82,22 @@ module Spree
       self[:compare_at_amount] = calculated_value
     end
 
+    # Returns the compare at amount for display
+    # @return [Spree::Money, nil]
+    def display_compare_at_amount
+      return nil if compare_at_amount.nil?
+
+      Spree::Money.new(compare_at_amount, currency: currency)
+    end
+
+    # Returns the compare at amount in cents
+    # @return [Integer, nil]
+    def compare_at_amount_in_cents
+      return nil if compare_at_amount.nil?
+
+      display_compare_at_amount.amount_in_cents
+    end
+
     alias_attribute :price, :amount
     alias_method :price=, :amount=
     alias_attribute :compare_at_price, :compare_at_amount

data/app/models/spree/price_list.rb

@@ -1,5 +1,7 @@
 module Spree
   class PriceList < Spree.base_class
+    has_prefix_id :pl
+
     acts_as_paranoid
     acts_as_list scope: :store_id
 

data/app/models/spree/price_rule.rb

@@ -1,5 +1,7 @@
 module Spree
   class PriceRule < Spree.base_class
+    has_prefix_id :prule
+
     belongs_to :price_list, class_name: 'Spree::PriceList', touch: true
 
     validates :type, :price_list,presence: true