app/controllers/spree/api/orders_controller.rb in spree_api-2.2.1 vs app/controllers/spree/api/orders_controller.rb in spree_api-2.2.2
- old
+ new
@@ -26,10 +26,11 @@
respond_with(@order, default_template: :show, status: 201)
end
def empty
find_order
+ authorize! :update, @order, order_token
@order.empty!
@order.update!
render text: nil, status: 200
end
@@ -39,17 +40,19 @@
respond_with(@orders)
end
def show
find_order
+ authorize! :show, @order, order_token
method = "before_#{@order.state}"
send(method) if respond_to?(method, true)
respond_with(@order)
end
def update
find_order(true)
+ authorize! :update, @order, order_token
# Parsing line items through as an update_attributes call in the API will result in
# many line items for the same variant_id being created. We must be smarter about this,
# hence the use of the update_line_items method, defined within order_decorator.rb.
order_params.delete("line_items_attributes")
if @order.update_attributes(order_params)
@@ -72,10 +75,11 @@
end
end
def apply_coupon_code
find_order
+ authorize! :update, @order, order_token
@order.coupon_code = params[:coupon_code]
@handler = PromotionHandler::Coupon.new(@order).apply
status = @handler.successful? ? 200 : 422
render "spree/api/promotions/handler", :status => status
end
@@ -136,15 +140,17 @@
end
end
def find_order(lock = false)
@order = Spree::Order.lock(lock).find_by!(number: params[:id])
- authorize! :update, @order, order_token
end
def before_delivery
@order.create_proposed_shipments
end
+ def order_id
+ super || params[:id]
+ end
end
end
end