diff --git a/api/app/controllers/spree/api/credit_cards_controller.rb b/api/app/controllers/spree/api/credit_cards_controller.rb index 7b689855c16..d6664cfe1f1 100644 --- a/api/app/controllers/spree/api/credit_cards_controller.rb +++ b/api/app/controllers/spree/api/credit_cards_controller.rb @@ -1,7 +1,8 @@ module Spree module Api class CreditCardsController < Spree::Api::BaseController - before_action :user + before_action :user, only: [:index] + before_action :find_credit_card, only: [:update] def index @credit_cards = user @@ -12,6 +13,14 @@ def index respond_with(@credit_cards) end + def update + if @credit_card.update_attributes(credit_card_update_params) + respond_with(@credit_card, default_template: :show) + else + invalid_resource!(@credit_card) + end + end + private def user @@ -20,6 +29,14 @@ def user end end + def find_credit_card + @credit_card = Spree::CreditCard.find(params[:id]) + authorize! :update, @credit_card + end + + def credit_card_update_params + params.require(:credit_card).permit(permitted_credit_card_update_attributes) + end end end end diff --git a/api/config/routes.rb b/api/config/routes.rb index 00ea73c2f99..8f4c7c6f843 100644 --- a/api/config/routes.rb +++ b/api/config/routes.rb @@ -108,6 +108,8 @@ resources :credit_cards, only: [:index] end + resources :credit_cards, only: [:update] + resources :properties resources :stock_locations do resources :stock_movements diff --git a/api/spec/controllers/spree/api/credit_cards_controller_spec.rb b/api/spec/controllers/spree/api/credit_cards_controller_spec.rb index 7b52621ac57..27d4836a74e 100644 --- a/api/spec/controllers/spree/api/credit_cards_controller_spec.rb +++ b/api/spec/controllers/spree/api/credit_cards_controller_spec.rb @@ -2,78 +2,110 @@ module Spree describe Api::CreditCardsController, :type => :controller do - render_views + describe '#index' do + render_views - let!(:admin_user) do - user = Spree.user_class.new(:email => "spree@example.com", :id => 1) - user.generate_spree_api_key! - allow(user).to receive(:has_spree_role?).with('admin').and_return(true) - user - end - - let!(:normal_user) do - user = Spree.user_class.new(:email => "spree2@example.com", :id => 2) - user.generate_spree_api_key! - user - end + let!(:admin_user) do + user = Spree.user_class.new(:email => "spree@example.com", :id => 1) + user.generate_spree_api_key! + allow(user).to receive(:has_spree_role?).with('admin').and_return(true) + user + end - let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") } + let!(:normal_user) do + user = Spree.user_class.new(:email => "spree2@example.com", :id => 2) + user.generate_spree_api_key! + user + end - before do - stub_authentication! - end + let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") } - it "the user id doesn't exist" do - api_get :index, user_id: 1000 - expect(response.status).to eq(404) - end + before do + stub_authentication! + end - context "calling user is in admin role" do - let(:current_api_user) do - user = admin_user - user + it "the user id doesn't exist" do + api_get :index, user_id: 1000 + expect(response.status).to eq(404) end - it "no credit cards exist for user" do - api_get :index, user_id: normal_user.id + context "calling user is in admin role" do + let(:current_api_user) do + user = admin_user + user + end - expect(response.status).to eq(200) - expect(json_response["pages"]).to eq(0) + it "no credit cards exist for user" do + api_get :index, user_id: normal_user.id + + expect(response.status).to eq(200) + expect(json_response["pages"]).to eq(0) + end + + it "can view all credit cards for user" do + api_get :index, user_id: current_api_user.id + + expect(response.status).to eq(200) + expect(json_response["pages"]).to eq(1) + expect(json_response["current_page"]).to eq(1) + expect(json_response["credit_cards"].length).to eq(1) + expect(json_response["credit_cards"].first["id"]).to eq(card.id) + end end - it "can view all credit cards for user" do - api_get :index, user_id: current_api_user.id + context "calling user is not in admin role" do + let(:current_api_user) do + user = normal_user + user + end + + let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") } + + it "can not view user" do + api_get :index, user_id: admin_user.id + + expect(response.status).to eq(404) + end - expect(response.status).to eq(200) - expect(json_response["pages"]).to eq(1) - expect(json_response["current_page"]).to eq(1) - expect(json_response["credit_cards"].length).to eq(1) - expect(json_response["credit_cards"].first["id"]).to eq(card.id) + it "can view own credit cards" do + api_get :index, user_id: normal_user.id + + expect(response.status).to eq(200) + expect(json_response["pages"]).to eq(1) + expect(json_response["current_page"]).to eq(1) + expect(json_response["credit_cards"].length).to eq(1) + expect(json_response["credit_cards"].first["id"]).to eq(card.id) + end end end - context "calling user is not in admin role" do - let(:current_api_user) do - user = normal_user - user - end + describe '#update' do + let(:credit_card) { create(:credit_card, name: 'Joe Shmoe', user: credit_card_user) } + let(:credit_card_user) { create(:user) } - let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") } + before do + stub_authentication! + end - it "can not view user" do - api_get :index, user_id: admin_user.id + context 'when the user is authorized' do + let(:current_api_user) { credit_card_user } - expect(response.status).to eq(404) + it 'updates the credit card' do + expect { + api_put :update, id: credit_card.to_param, credit_card: {name: 'Jordan Brough'} + }.to change { + credit_card.reload.name + }.from('Joe Shmoe').to('Jordan Brough') + end end - it "can view own credit cards" do - api_get :index, user_id: normal_user.id + context 'when the user is not authorized' do + let(:current_api_user) { create(:user) } - expect(response.status).to eq(200) - expect(json_response["pages"]).to eq(1) - expect(json_response["current_page"]).to eq(1) - expect(json_response["credit_cards"].length).to eq(1) - expect(json_response["credit_cards"].first["id"]).to eq(card.id) + it 'rejects the request' do + api_put :update, id: credit_card.to_param, credit_card: {name: 'Jordan Brough'} + expect(response.status).to eq(401) + end end end end diff --git a/core/app/models/spree/ability.rb b/core/app/models/spree/ability.rb index 18d9bda0628..983e28e0878 100644 --- a/core/app/models/spree/ability.rb +++ b/core/app/models/spree/ability.rb @@ -68,7 +68,7 @@ def grant_generic_user_permissions can :create, ReturnAuthorization do |return_authorization| return_authorization.order.user == user end - can :display, CreditCard, user_id: user.id + can [:display, :update], CreditCard, user_id: user.id can :display, Product can :display, ProductProperty can :display, Property diff --git a/core/lib/spree/core/controller_helpers/strong_parameters.rb b/core/lib/spree/core/controller_helpers/strong_parameters.rb index 3de7575be36..248dc9e103e 100644 --- a/core/lib/spree/core/controller_helpers/strong_parameters.rb +++ b/core/lib/spree/core/controller_helpers/strong_parameters.rb @@ -10,6 +10,12 @@ def permitted_attributes to: :permitted_attributes, prefix: :permitted + def permitted_credit_card_update_attributes + permitted_attributes.credit_card_update_attributes + [ + address_attributes: permitted_address_attributes, + ] + end + def permitted_payment_attributes permitted_attributes.payment_attributes + [ source_attributes: permitted_source_attributes diff --git a/core/lib/spree/permitted_attributes.rb b/core/lib/spree/permitted_attributes.rb index 5f4334d4680..3301137390e 100644 --- a/core/lib/spree/permitted_attributes.rb +++ b/core/lib/spree/permitted_attributes.rb @@ -6,6 +6,7 @@ module PermittedAttributes ATTRIBUTES = [ :address_attributes, :checkout_attributes, + :credit_card_update_attributes, :customer_return_attributes, :image_attributes, :inventory_unit_attributes, @@ -44,6 +45,10 @@ module PermittedAttributes :coupon_code, :email, :shipping_method_id, :special_instructions, :use_billing ] + @@credit_card_update_attributes = [ + :month, :year, :expiry, :first_name, :last_name, :name, + ] + @@customer_return_attributes = [:stock_location_id, return_items_attributes: [:id, :inventory_unit_id, :return_authorization_id, :returned, :pre_tax_amount, :reception_status_event, :acceptance_status, :exchange_variant_id, :resellable]] @@image_attributes = [:alt, :attachment, :position, :viewable_type, :viewable_id]