app/controllers/spree/api/orders_controller.rb in spree_api-2.0.8 vs app/controllers/spree/api/orders_controller.rb in spree_api-2.0.9

@@ -1,11 +1,11 @@
 module Spree
   module Api
     class OrdersController < Spree::Api::BaseController
       respond_to :json
 
-      before_filter :authorize_read!, :except => [:index, :search, :create]
+      before_filter :find_and_authorize!, :except => [:index, :search, :create]
 
       def index
         # should probably look at turning this into a CanCan step
         raise CanCan::AccessDenied unless current_api_user.has_spree_role?("admin")
         @orders = Order.ransack(params[:q]).result.page(params[:page]).per(params[:per_page])
@@ -17,37 +17,36 @@
       end
 
       def create
         nested_params[:line_items_attributes] = sanitize_line_items(nested_params[:line_items_attributes])
         @order = Order.build_from_api(current_api_user, nested_params)
-        respond_with(order, :default_template => :show, :status => 201)
+        respond_with(@order, :default_template => :show, :status => 201)
       end
 
       def update
-        authorize! :update, Order
         # Parsing line items through as an update_attributes call in the API will result in
         # many line items for the same variant_id being created. We must be smarter about this,
         # hence the use of the update_line_items method, defined within order_decorator.rb.
         line_items_params = sanitize_line_items(nested_params.delete("line_items_attributes"))
-        if order.update_attributes(nested_params)
-          order.update_line_items(line_items_params)
-          order.line_items.reload
-          order.update!
-          respond_with(order, :default_template => :show)
+        if @order.update_attributes(nested_params)
+          @order.update_line_items(line_items_params)
+          @order.line_items.reload
+          @order.update!
+          respond_with(@order, :default_template => :show)
         else
-          invalid_resource!(order)
+          invalid_resource!(@order)
         end
       end
 
       def cancel
-        order.cancel!
+        @order.cancel!
         render :show
       end
 
       def empty
-        order.empty!
-        order.update!
+        @order.empty!
+        @order.update!
         render :text => nil, :status => 200
       end
 
       private
 
@@ -68,23 +67,25 @@
           end
         end
         line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
       end
 
-      def order
-        @order ||= Order.find_by_number!(params[:id])
+      def find_order(lock = false)
+        @order = Spree::Order.lock(lock).find_by_number!(params[:id])
+        authorize! :update, @order, params[:order_token]
       end
 
       def next!(options={})
         if @order.valid? && @order.next
           render :show, :status => options[:status] || 200
         else
           render :could_not_transition, :status => 422
         end
       end
 
-      def authorize_read!
-        authorize! :read, order
+      def find_and_authorize!
+        find_order(true)
+        authorize! :read, @order
       end
     end
   end
 end