[api] Add assurances that line item prices cannot be set while creati…

…ng or updating orders
bsylvain · Oct 11, 2013 · 1b60644 · 1b60644
1 parent fe07c14
commit 1b60644
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 4 deletions.
diff --git a/api/app/controllers/spree/api/base_controller.rb b/api/app/controllers/spree/api/base_controller.rb
@@ -47,7 +47,11 @@ def map_nested_attributes_keys(klass, attributes)
 
       # users should be able to set price when importing orders via api
       def permitted_line_item_attributes
-        super << [:price]
+        if current_api_user.has_spree_role?("admin")
+          super << [:price]
+        else
+          super
+        end
       end
 
       private

diff --git a/api/app/controllers/spree/api/orders_controller.rb b/api/app/controllers/spree/api/orders_controller.rb
@@ -50,7 +50,11 @@ def update
         # hence the use of the update_line_items method, defined within order_decorator.rb.
         order_params.delete("line_items_attributes")
         if @order.update_attributes(order_params)
-          @order.update_line_items(params[:order][:line_items])
+          line_item_attributes = params[:order][:line_items].map do |id, attributes|
+            [id, attributes.slice(*permitted_line_item_attributes)]
+          end
+          line_item_attributes = Hash[line_item_attributes].delete_if { |k,v| v.empty? }
+          @order.update_line_items(line_item_attributes)
           @order.line_items.reload
           @order.update!
           respond_with(@order, default_template: :show)

diff --git a/api/spec/controllers/spree/api/orders_controller_spec.rb b/api/spec/controllers/spree/api/orders_controller_spec.rb
@@ -119,7 +119,7 @@ module Spree
       response.status.should == 201
     end
 
-    it "sets line items price" do
+    it "cannot arbitrarily set the line items price" do
       api_post :create, :order => {
         :line_items => {
           "0" => {
@@ -129,7 +129,7 @@ module Spree
       }
 
       expect(response.status).to eq 201
-      expect(Order.last.line_items.first.price.to_f).to eq 33.0
+      expect(Order.last.line_items.first.price.to_f).to eq(variant.price)
     end
 
     # Regression test for #3404
@@ -195,6 +195,19 @@ def clean_address(address)
         json_response['line_items'].first['quantity'].should == 10
       end
 
+      it "cannot change the price of an existing line item" do
+        api_put :update, :id => order.to_param, :order => {
+          :line_items => {
+            line_item.id => { :price => 0 }
+          }
+        }
+
+        response.status.should == 200
+        json_response['line_items'].count.should == 1
+        expect(json_response['line_items'].first['price'].to_f).to_not eq(0)
+        expect(json_response['line_items'].first['price'].to_f).to eq(line_item.variant.price)
+      end
+
       it "can add billing address" do
         api_put :update, :id => order.to_param, :order => { :bill_address_attributes => billing_address }
 
@@ -385,6 +398,21 @@ def clean_address(address)
         end
       end
 
+      context "creation" do
+        it "can arbitrarily set the line items price" do
+          api_post :create, :order => {
+            :line_items => {
+              "0" => {
+                :price => 33.0, :variant_id => variant.to_param, :quantity => 5
+              }
+            }
+          }
+
+          expect(response.status).to eq 201
+          expect(Order.last.line_items.first.price.to_f).to eq(33.0)
+        end
+      end
+
       context "can cancel an order" do
         before do
           Spree::Config[:mails_from] = "[email protected]"