Add Api::CreditCardsController#update endpoint

api/app/controllers/spree/api/credit_cards_controller.rb

@@ -1,7 +1,8 @@
 module Spree
   module Api
     class CreditCardsController < Spree::Api::BaseController
-      before_action :user
+      before_action :user, only: [:index]
+      before_action :find_credit_card, only: [:update]
 
       def index
         @credit_cards = user
@@ -12,6 +13,14 @@ def index
         respond_with(@credit_cards)
       end
 
+      def update
+        if @credit_card.update_attributes(credit_card_params)
+          respond_with(@credit_card, default_template: :show)
+        else
+          invalid_resource!(@credit_card)
+        end
+      end
+
       private
 
         def user
@@ -20,6 +29,14 @@ def user
           end
         end
 
+        def find_credit_card
+          @credit_card = Spree::CreditCard.find(params[:id])
+          authorize! :update, @credit_card
+        end
+
+        def credit_card_params
+          params.require(:credit_card).permit(permitted_credit_card_attributes)
+        end
     end
   end
 end

api/config/routes.rb

@@ -108,6 +108,8 @@
       resources :credit_cards, only: [:index]
     end
 
+    resources :credit_cards, only: [:update]
+
     resources :properties
     resources :stock_locations do
       resources :stock_movements

api/spec/controllers/spree/api/credit_cards_controller_spec.rb

@@ -2,78 +2,110 @@
 
 module Spree
   describe Api::CreditCardsController, :type => :controller do
-    render_views
+    describe '#index' do
+      render_views
 
-    let!(:admin_user) do
-      user = Spree.user_class.new(:email => "spree@example.com", :id => 1)
-      user.generate_spree_api_key!
-      allow(user).to receive(:has_spree_role?).with('admin').and_return(true)
-      user
-    end
-
-    let!(:normal_user) do
-      user = Spree.user_class.new(:email => "spree2@example.com", :id => 2)
-      user.generate_spree_api_key!
-      user
-    end
+      let!(:admin_user) do
+        user = Spree.user_class.new(:email => "spree@example.com", :id => 1)
+        user.generate_spree_api_key!
+        allow(user).to receive(:has_spree_role?).with('admin').and_return(true)
+        user
+      end
 
-    let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") }
+      let!(:normal_user) do
+        user = Spree.user_class.new(:email => "spree2@example.com", :id => 2)
+        user.generate_spree_api_key!
+        user
+      end
 
-    before do
-      stub_authentication!
-    end
+      let!(:card) { create(:credit_card, :user_id => admin_user.id, gateway_customer_profile_id: "random") }
 
-    it "the user id doesn't exist" do
-      api_get :index, user_id: 1000
-      expect(response.status).to eq(404)
-    end
+      before do
+        stub_authentication!
+      end
 
-    context "calling user is in admin role" do
-      let(:current_api_user) do
-        user = admin_user
-        user
+      it "the user id doesn't exist" do
+        api_get :index, user_id: 1000
+        expect(response.status).to eq(404)
       end
 
-      it "no credit cards exist for user" do
-        api_get :index, user_id: normal_user.id
+      context "calling user is in admin role" do
+        let(:current_api_user) do
+          user = admin_user
+          user
+        end
 
-        expect(response.status).to eq(200)
-        expect(json_response["pages"]).to eq(0)
+        it "no credit cards exist for user" do
+          api_get :index, user_id: normal_user.id
+
+          expect(response.status).to eq(200)
+          expect(json_response["pages"]).to eq(0)
+        end
+
+        it "can view all credit cards for user" do
+          api_get :index, user_id: current_api_user.id
+
+          expect(response.status).to eq(200)
+          expect(json_response["pages"]).to eq(1)
+          expect(json_response["current_page"]).to eq(1)
+          expect(json_response["credit_cards"].length).to eq(1)
+          expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        end
       end
 
-      it "can view all credit cards for user" do
-        api_get :index, user_id: current_api_user.id
+      context "calling user is not in admin role" do
+        let(:current_api_user) do
+          user = normal_user
+          user
+        end
+
+        let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") }
+
+        it "can not view user" do
+          api_get :index, user_id: admin_user.id
+
+          expect(response.status).to eq(404)
+        end
 
-        expect(response.status).to eq(200)
-        expect(json_response["pages"]).to eq(1)
-        expect(json_response["current_page"]).to eq(1)
-        expect(json_response["credit_cards"].length).to eq(1)
-        expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        it "can view own credit cards" do
+          api_get :index, user_id: normal_user.id
+
+          expect(response.status).to eq(200)
+          expect(json_response["pages"]).to eq(1)
+          expect(json_response["current_page"]).to eq(1)
+          expect(json_response["credit_cards"].length).to eq(1)
+          expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        end
       end
     end
 
-    context "calling user is not in admin role" do
-      let(:current_api_user) do
-        user = normal_user
-        user
-      end
+    describe '#update' do
+      let(:credit_card) { create(:credit_card, name: 'Joe Shmoe', user: credit_card_user) }
+      let(:credit_card_user) { create(:user) }
 
-      let!(:card) { create(:credit_card, :user_id => normal_user.id, gateway_customer_profile_id: "random") }
+      before do
+        stub_authentication!
+      end
 
-      it "can not view user" do
-        api_get :index, user_id: admin_user.id
+      context 'when the user is authorized' do
+        let(:current_api_user) { credit_card_user }
 
-        expect(response.status).to eq(404)
+        it 'updates the credit card' do
+          expect {
+            api_put :update, id: credit_card.to_param, credit_card: {name: 'Jordan Brough'}
+          }.to change {
+            credit_card.reload.name
+          }.from('Joe Shmoe').to('Jordan Brough')
+        end
       end
 
-      it "can view own credit cards" do
-        api_get :index, user_id: normal_user.id
+      context 'when the user is not authorized' do
+        let(:current_api_user) { create(:user) }
 
-        expect(response.status).to eq(200)
-        expect(json_response["pages"]).to eq(1)
-        expect(json_response["current_page"]).to eq(1)
-        expect(json_response["credit_cards"].length).to eq(1)
-        expect(json_response["credit_cards"].first["id"]).to eq(card.id)
+        it 'rejects the request' do
+          api_put :update, id: credit_card.to_param, credit_card: {name: 'Jordan Brough'}
+          expect(response.status).to eq(401)
+        end
       end
     end
   end

core/app/models/spree/ability.rb

@@ -49,7 +49,7 @@ def initialize(user)
         can :create, ReturnAuthorization do |return_authorization|
           return_authorization.order.user == user
         end
-        can :display, CreditCard, user_id: user.id
+        can [:display, :update], CreditCard, user_id: user.id
         can :display, Product
         can :display, ProductProperty
         can :display, Property

core/lib/spree/core/controller_helpers/strong_parameters.rb

@@ -10,6 +10,10 @@ def permitted_attributes
                  to: :permitted_attributes,
                  prefix: :permitted
 
+        def permitted_credit_card_attributes
+          permitted_source_attributes
+        end
+
         def permitted_payment_attributes
           permitted_attributes.payment_attributes + [
             source_attributes: permitted_source_attributes