Merge pull request #8634 from Matt-Yorkley/order-tokens

Clarify use of order tokens

app/controllers/cart_controller.rb

@@ -28,7 +28,7 @@ class CartController < BaseController
   end
 
   def check_authorization
-    session[:access_token] ||= params[:token]
+    session[:access_token] ||= params[:order_token]
     order = Spree::Order.find_by(number: params[:id]) || current_order
 
     if order

app/controllers/payment_gateways/paypal_controller.rb

@@ -192,7 +192,7 @@ module PaymentGateways
     end
 
     def completion_route(order)
-      main_app.order_path(order, token: order.token)
+      main_app.order_path(order, order_token: order.token)
     end
 
     def address_required?

app/controllers/payments_controller.rb

@@ -19,7 +19,7 @@ class PaymentsController < BaseController
   private
 
   def require_logged_in
-    return if session[:access_token] || params[:token] || spree_current_user
+    return if session[:access_token] || spree_current_user
 
     flash[:error] = I18n.t("spree.orders.edit.login_to_view_order")
     redirect_to main_app.root_path(anchor: "login?after_login=#{request.env['PATH_INFO']}")

app/controllers/spree/admin/orders/customer_details_controller.rb

@@ -75,14 +75,10 @@ module Spree
         end
 
         def check_authorization
-          load_order
-          session[:access_token] ||= params[:token]
-
-          resource = @order
           action = params[:action].to_sym
           action = :edit if action == :show # show route renders :edit for this controller
 
-          authorize! action, resource, session[:access_token]
+          authorize! action, @order
         end
 
         def set_guest_checkout_status

app/controllers/spree/orders_controller.rb

@@ -113,7 +113,7 @@ module Spree
     end
 
     def check_authorization
-      session[:access_token] ||= params[:token]
+      session[:access_token] ||= params[:order_token]
       order = Spree::Order.find_by(number: params[:id]) || current_order
 
       if order
@@ -154,7 +154,7 @@ module Spree
     end
 
     def require_order_authentication
-      return if session[:access_token] || params[:token] || spree_current_user
+      return if session[:access_token] || params[:order_token] || spree_current_user
 
       flash[:error] = I18n.t("spree.orders.edit.login_to_view_order")
       redirect_to main_app.root_path(anchor: "login?after_login=#{request.env['PATH_INFO']}")

spec/controllers/spree/orders_controller_spec.rb

@@ -26,12 +26,12 @@ describe Spree::OrdersController, type: :controller do
       let(:current_user) { nil }
 
       it "loads page" do
-        get :show, params: { id: order.number, token: order.token }
+        get :show, params: { id: order.number, order_token: order.token }
         expect(response.status).to eq 200
       end
 
       it "stores order token in session as 'access_token'" do
-        get :show, params: { id: order.number, token: order.token }
+        get :show, params: { id: order.number, order_token: order.token }
         expect(session[:access_token]).to eq(order.token)
       end
     end

spec/requests/checkout/paypal_spec.rb

@@ -58,7 +58,7 @@ describe "checking out an order with a paypal express payment method", type: :re
       get payment_gateways_confirm_paypal_path, params: params
 
       # Processing was successful, order is complete
-      expect(response).to redirect_to order_path(order, token: order.token)
+      expect(response).to redirect_to order_path(order, order_token: order.token)
       expect(order.reload.complete?).to be true
 
       # We have only one payment, and one transaction fee

spec/system/consumer/shopping/orders_spec.rb

@@ -48,7 +48,7 @@ describe "Order Management", js: true do
         expect(page).to_not be_confirmed_order_page
 
         # Can load the page with token
-        visit order_path(order, token: order.token)
+        visit order_path(order, order_token: order.token)
         expect(page).to be_confirmed_order_page
 
         # Can load the page even without the token, after loading the page with