Add cards lookup action to CustomersController

app/controllers/admin/customers_controller.rb

@@ -64,6 +64,13 @@ module Admin
       render json: { bill_address: bill_address, ship_address: ship_address }
     end
 
+    # GET /admin/customers/:id/cards
+    # Used by standing orders form to load details for selected customer
+    def cards
+      cards = Spree::CreditCard.where(user_id: @customer.user_id)
+      render json: { cards: ActiveModel::ArraySerializer.new(cards, each_serializer: Api::CreditCardSerializer) }
+    end
+
     private
 
     def collection

app/models/spree/ability_decorator.rb

@@ -251,7 +251,7 @@ class AbilityDecorator
     can [:admin, :index, :customers, :group_buys, :bulk_coop, :sales_tax, :payments, :orders_and_distributors, :orders_and_fulfillment, :products_and_inventory, :order_cycle_management, :xero_invoices], :report
 
     can [:create], Customer
-    can [:admin, :index, :update, :destroy, :addresses], Customer, enterprise_id: Enterprise.managed_by(user).pluck(:id)
+    can [:admin, :index, :update, :destroy, :addresses, :cards], Customer, enterprise_id: Enterprise.managed_by(user).pluck(:id)
     can [:admin, :new, :index], StandingOrder
     can [:create, :edit, :update, :cancel, :pause, :unpause], StandingOrder do |standing_order|
       user.enterprises.include?(standing_order.shop)

config/routes.rb

@@ -143,6 +143,7 @@ Openfoodnetwork::Application.routes.draw do
 
     resources :customers, only: [:index, :create, :update, :destroy] do
       get :addresses, on: :member
+      get :cards, on: :member
     end
 
     resources :tag_rules, only: [], format: :json do

spec/controllers/admin/customers_controller_spec.rb

@@ -181,4 +181,59 @@ describe Admin::CustomersController, type: :controller do
       end
     end
   end
+
+  describe "#cards" do
+    let(:user) { create(:user) }
+    let!(:enterprise) { create(:enterprise) }
+    let!(:credit_card1) { create(:credit_card, user: user) }
+    let!(:credit_card2) { create(:credit_card) }
+    let(:managed_customer) { create(:customer, enterprise: enterprise) }
+    let(:unmanaged_customer) { create(:customer) }
+    let(:params) { { format: :json } }
+
+    before { login_as_enterprise_user [enterprise] }
+
+    context "when I manage the customer" do
+      before { params.merge!(id: managed_customer.id) }
+
+      context "when the customer is not associated with a user" do
+        it "returns with an empty array" do
+          spree_get :cards, params
+          json_response = JSON.parse(response.body)
+          expect(json_response.keys).to include "cards"
+          expect(json_response["cards"]).to eq []
+        end
+      end
+
+      context "when the customer is associated with a user" do
+        before { managed_customer.update_attributes(user_id: user.id) }
+
+        it "returns with serialized cards for the customer" do
+          spree_get :cards, params
+          json_response = JSON.parse(response.body)
+          expect(json_response.keys).to include "cards"
+          expect(json_response["cards"].length).to be 1
+          expect(json_response["cards"].first["id"]).to eq credit_card1.id
+        end
+      end
+    end
+
+    context "when I don't manage the customer" do
+      before { params.merge!({customer_id: unmanaged_customer.id}) }
+
+      it "redirects to unauthorised" do
+        spree_get :cards, params
+        expect(response).to redirect_to spree.unauthorized_path
+      end
+    end
+
+    context "when no customer with a matching id exists" do
+      before { params.merge!({customer_id: 1}) }
+
+      it "redirects to unauthorised" do
+        spree_get :cards, params
+        expect(response).to redirect_to spree.unauthorized_path
+      end
+    end
+  end
 end