app/controllers/spree/api/orders_controller.rb in spree_api-2.0.5 vs app/controllers/spree/api/orders_controller.rb in spree_api-2.0.6
- old
+ new
@@ -15,20 +15,21 @@
def show
respond_with(@order)
end
def create
+ nested_params[:line_items_attributes] = sanitize_line_items(nested_params[:line_items_attributes])
@order = Order.build_from_api(current_api_user, nested_params)
respond_with(order, :default_template => :show, :status => 201)
end
def update
authorize! :update, Order
# Parsing line items through as an update_attributes call in the API will result in
# many line items for the same variant_id being created. We must be smarter about this,
# hence the use of the update_line_items method, defined within order_decorator.rb.
- line_items_params = params[:order].delete("line_items")
+ line_items_params = sanitize_line_items(nested_params.delete("line_items_attributes"))
if order.update_attributes(nested_params)
order.update_line_items(line_items_params)
order.line_items.reload
order.update!
respond_with(order, :default_template => :show)
@@ -49,10 +50,23 @@
end
private
def nested_params
- map_nested_attributes_keys Order, params[:order] || {}
+ @nested_params ||= map_nested_attributes_keys(Order, params[:order] || {})
+ end
+
+ def sanitize_line_items(line_item_attributes)
+ return {} if line_item_attributes.blank?
+ line_item_attributes = line_item_attributes.map do |id, attributes|
+ # Faux Strong-Parameters code to strip price if user isn't an admin
+ if current_api_user.has_spree_role?("admin")
+ [id, attributes.slice(*Spree::LineItem.attr_accessible[:api])]
+ else
+ [id, attributes.slice(*Spree::LineItem.attr_accessible[:default])]
+ end
+ end
+ line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
end
def order
@order ||= Order.find_by_number!(params[:id])
end