Merge pull request #4057 from luisramos0/remove_spree_api_2

Remove dependency to spree_api - step 2 - routes and views

app/assets/javascripts/admin/bulk_product_update.js.coffee

@@ -1,4 +1,4 @@
-angular.module("ofn.admin").controller "AdminProductEditCtrl", ($scope, $timeout, $filter, $http, $window, BulkProducts, DisplayProperties, DirtyProducts, VariantUnitManager, StatusMessage, producers, Taxons, SpreeApiAuth, Columns, tax_categories, RequestMonitor) ->
+angular.module("ofn.admin").controller "AdminProductEditCtrl", ($scope, $timeout, $filter, $http, $window, BulkProducts, DisplayProperties, DirtyProducts, VariantUnitManager, StatusMessage, producers, Taxons, Columns, tax_categories, RequestMonitor) ->
   $scope.StatusMessage = StatusMessage
 
   $scope.columns = Columns.columns
@@ -39,12 +39,7 @@ angular.module("ofn.admin").controller "AdminProductEditCtrl", ($scope, $timeout
   $scope.DisplayProperties = DisplayProperties
 
   $scope.initialise = ->
-    SpreeApiAuth.authorise()
-    .then ->
-      $scope.spree_api_key_ok = true
-      $scope.fetchProducts()
-    .catch (message) ->
-      $scope.api_error_msg = message
+    $scope.fetchProducts()
 
   $scope.$watchCollection '[query, producerFilter, categoryFilter, importDateFilter, per_page]', ->
     $scope.page = 1 # Reset page when changing filters for new search

app/assets/javascripts/admin/index_utils/services/spree_api_auth.js.coffee

@@ -1,16 +0,0 @@
-angular.module("admin.indexUtils").factory "SpreeApiAuth", ($q, $http, SpreeApiKey) ->
-  new class SpreeApiAuth
-    authorise: ->
-      deferred = $q.defer()
-
-      $http.get("/api/users/authorise_api?token=" + SpreeApiKey)
-      .success (response) ->
-        if response?.success == "Use of API Authorised"
-          $http.defaults.headers.common["X-Spree-Token"] = SpreeApiKey
-          deferred.resolve()
-
-      .error (response) ->
-        error = response?.error || t('js.unauthorized')
-        deferred.reject(error)
-
-      deferred.promise

app/assets/javascripts/admin/variant_overrides/controllers/variant_overrides_controller.js.coffee

@@ -1,4 +1,4 @@
-angular.module("admin.variantOverrides").controller "AdminVariantOverridesCtrl", ($scope, $http, $timeout, Indexer, Columns, Views, SpreeApiAuth, PagedFetcher, StatusMessage, RequestMonitor, hubs, producers, hubPermissions, InventoryItems, VariantOverrides, DirtyVariantOverrides) ->
+angular.module("admin.variantOverrides").controller "AdminVariantOverridesCtrl", ($scope, $http, $timeout, Indexer, Columns, Views, PagedFetcher, StatusMessage, RequestMonitor, hubs, producers, hubPermissions, InventoryItems, VariantOverrides, DirtyVariantOverrides) ->
   $scope.hubs = Indexer.index hubs
   $scope.hub_id = if hubs.length == 1 then hubs[0].id else null
   $scope.products = []
@@ -39,13 +39,7 @@ angular.module("admin.variantOverrides").controller "AdminVariantOverridesCtrl",
     $scope.producerFilter != 0 || $scope.query != ''
 
   $scope.initialise = ->
-    SpreeApiAuth.authorise()
-    .then ->
-      $scope.spree_api_key_ok = true
-      $scope.fetchProducts()
-    .catch (message) ->
-      $scope.api_error_msg = message
-
+    $scope.fetchProducts()
 
   $scope.fetchProducts = ->
     url = "/api/products/overridable?page=::page::;per_page=100"

app/controllers/api/base_controller.rb

@@ -1,16 +1,44 @@
 # Base controller for OFN's API
-# Includes the minimum machinery required by ActiveModelSerializers
+require_dependency 'spree/api/controller_setup'
+
 module Api
-  class BaseController < Spree::Api::BaseController
-    # Need to include these because Spree::Api::BaseContoller inherits
-    # from ActionController::Metal rather than ActionController::Base
-    # and they are required by ActiveModelSerializers
+  class BaseController < ActionController::Metal
+    include Spree::Api::ControllerSetup
+    include Spree::Core::ControllerHelpers::SSL
+    include ::ActionController::Head
+
+    respond_to :json
+
+    attr_accessor :current_api_user
+
+    before_filter :set_content_type
+    before_filter :authenticate_user
+    after_filter  :set_jsonp_format
+
+    rescue_from Exception, with: :error_during_processing
+    rescue_from CanCan::AccessDenied, with: :unauthorized
+    rescue_from ActiveRecord::RecordNotFound, with: :not_found
+
+    helper Spree::Api::ApiHelpers
+
+    ssl_allowed
+
+    # Include these because we inherit from ActionController::Metal
+    #   rather than ActionController::Base and these are required for AMS
     include ActionController::Serialization
     include ActionController::UrlFor
     include Rails.application.routes.url_helpers
+
     use_renderers :json
     check_authorization
 
+    def set_jsonp_format
+      return unless params[:callback] && request.get?
+
+      self.response_body = "#{params[:callback]}(#{response_body})"
+      headers["Content-Type"] = 'application/javascript'
+    end
+
     def respond_with_conflict(json_hash)
       render json: json_hash, status: :conflict
     end
@@ -19,16 +47,62 @@ module Api
 
     # Use logged in user (spree_current_user) for API authentication (current_api_user)
     def authenticate_user
-      @current_api_user = try_spree_current_user
-      super
+      return if @current_api_user = try_spree_current_user
+      if api_key.blank?
+        # An anonymous user
+        @current_api_user = Spree.user_class.new
+        return
+      end
+
+      return if @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
+
+      invalid_api_key
     end
 
-    # Allows API access without authentication, but only for OFN controllers which inherit
-    # from Api::BaseController. @current_api_user will now initialize an empty Spree::User
-    # unless one is present. We now also apply devise's `check_authorization`. See here for
-    # details: https://github.com/CanCanCommunity/cancancan/wiki/Ensure-Authorization
-    def requires_authentication?
-      false
+    def set_content_type
+      content_type = case params[:format]
+                     when "json"
+                       "application/json"
+                     when "xml"
+                       "text/xml"
+                     end
+      headers["Content-Type"] = content_type
+    end
+
+    def error_during_processing(exception)
+      render(text: { exception: exception.message }.to_json,
+             status: :unprocessable_entity) && return
+    end
+
+    def current_ability
+      Spree::Ability.new(current_api_user)
+    end
+
+    def api_key
+      request.headers["X-Spree-Token"] || params[:token]
+    end
+    helper_method :api_key
+
+    def invalid_resource!(resource)
+      @resource = resource
+      render(json: { error: I18n.t(:invalid_resource, scope: "spree.api"),
+                     errors: @resource.errors },
+             status: :unprocessable_entity)
+    end
+
+    def invalid_api_key
+      render(json: { error: I18n.t(:invalid_api_key, key: api_key, scope: "spree.api") },
+             status: :unauthorized) && return
+    end
+
+    def unauthorized
+      render(json: { error: I18n.t(:unauthorized, scope: "spree.api") },
+             status: :unauthorized) && return
+    end
+
+    def not_found
+      render(json: { error: I18n.t(:resource_not_found, scope: "spree.api") },
+             status: :not_found) && return
     end
   end
 end

app/controllers/api/products_controller.rb

@@ -47,7 +47,6 @@ module Api
       render json: @product, serializer: Api::Admin::ProductSerializer, status: 204
     end
 
-    # TODO: This should be named 'managed'. Is the action above used? Maybe we should remove it.
     def bulk_products
       product_query = OpenFoodNetwork::Permissions.new(current_api_user).
         editable_products.merge(product_scope)
@@ -94,10 +93,13 @@ module Api
 
     private
 
-    # Copied and modified from SpreeApi::BaseController to allow
-    # enterprise users to access inactive products
+    def find_product(id)
+      product_scope.find_by_permalink!(id.to_s)
+    rescue ActiveRecord::RecordNotFound
+      product_scope.find(id)
+    end
+
     def product_scope
-      # This line modified
       if current_api_user.has_spree_role?("admin") || current_api_user.enterprises.present?
         scope = Spree::Product
         if params[:show_deleted]

app/controllers/spree/admin/users_controller.rb

@@ -58,14 +58,14 @@ module Spree
 
       def generate_api_key
         if @user.generate_spree_api_key!
-          flash[:success] = Spree.t('api.key_generated')
+          flash[:success] = t('spree.api.key_generated')
         end
         redirect_to edit_admin_user_path(@user)
       end
 
       def clear_api_key
         if @user.clear_spree_api_key!
-          flash[:success] = Spree.t('api.key_cleared')
+          flash[:success] = t('spree.api.key_cleared')
         end
         redirect_to edit_admin_user_path(@user)
       end

app/controllers/spree/api/base_controller.rb

@@ -1,130 +0,0 @@
-require_dependency 'spree/api/controller_setup'
-
-module Spree
-  module Api
-    class BaseController < ActionController::Metal
-      include Spree::Api::ControllerSetup
-      include Spree::Core::ControllerHelpers::SSL
-      include ::ActionController::Head
-
-      self.responder = Spree::Api::Responders::AppResponder
-
-      respond_to :json
-
-      attr_accessor :current_api_user
-
-      before_filter :set_content_type
-      before_filter :check_for_user_or_api_key, :if => :requires_authentication?
-      before_filter :authenticate_user
-      after_filter  :set_jsonp_format
-
-      rescue_from Exception, :with => :error_during_processing
-      rescue_from CanCan::AccessDenied, :with => :unauthorized
-      rescue_from ActiveRecord::RecordNotFound, :with => :not_found
-
-      helper Spree::Api::ApiHelpers
-
-      ssl_allowed
-
-      def set_jsonp_format
-        if params[:callback] && request.get?
-          self.response_body = "#{params[:callback]}(#{response_body})"
-          headers["Content-Type"] = 'application/javascript'
-        end
-      end
-
-      def map_nested_attributes_keys(klass, attributes)
-        nested_keys = klass.nested_attributes_options.keys
-        attributes.inject({}) do |h, (k, v)|
-          key = nested_keys.include?(k.to_sym) ? "#{k}_attributes" : k
-          h[key] = v
-          h
-        end.with_indifferent_access
-      end
-
-      private
-
-      def set_content_type
-        content_type = case params[:format]
-                       when "json"
-                         "application/json"
-                       when "xml"
-                         "text/xml"
-                       end
-        headers["Content-Type"] = content_type
-      end
-
-      def check_for_user_or_api_key
-        # User is already authenticated with Spree, make request this way instead.
-        return true if @current_api_user = try_spree_current_user ||
-                                           !requires_authentication?
-
-        return if api_key.present?
-        render("spree/api/errors/must_specify_api_key", status: :unauthorized) && return
-      end
-
-      def authenticate_user
-        return if @current_api_user
-
-        if requires_authentication? || api_key.present?
-          unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
-            render("spree/api/errors/invalid_api_key", status: :unauthorized) && return
-          end
-        else
-          # An anonymous user
-          @current_api_user = Spree.user_class.new
-        end
-      end
-
-      def unauthorized
-        render("spree/api/errors/unauthorized", status: :unauthorized) && return
-      end
-
-      def error_during_processing(exception)
-        render(text: { exception: exception.message }.to_json,
-               status: :unprocessable_entity) && return
-      end
-
-      def requires_authentication?
-        true
-      end
-
-      def not_found
-        render("spree/api/errors/not_found", status: :not_found) && return
-      end
-
-      def current_ability
-        Spree::Ability.new(current_api_user)
-      end
-
-      def invalid_resource!(resource)
-        @resource = resource
-        render "spree/api/errors/invalid_resource", status: :unprocessable_entity
-      end
-
-      def api_key
-        request.headers["X-Spree-Token"] || params[:token]
-      end
-      helper_method :api_key
-
-      def find_product(id)
-        product_scope.find_by_permalink!(id.to_s)
-      rescue ActiveRecord::RecordNotFound
-        product_scope.find(id)
-      end
-
-      def product_scope
-        if current_api_user.has_spree_role?("admin")
-          scope = Product
-          if params[:show_deleted]
-            scope = scope.with_deleted
-          end
-        else
-          scope = Product.active
-        end
-
-        scope.includes(:master)
-      end
-    end
-  end
-end

app/controllers/spree/api/users_controller.rb

@@ -1,7 +0,0 @@
-module Spree
-  module Api
-    class UsersController < Spree::Api::BaseController
-      respond_to :json
-    end
-  end
-end

app/views/spree/admin/products/index/_indicators.html.haml

@@ -1,6 +1,3 @@
-%div{ 'ng-show' => '!spree_api_key_ok' }
-  {{ api_error_msg }}
-
 %div.sixteen.columns.alpha#loading{ 'ng-if' => 'RequestMonitor.loading' }
   %br
   %img.spinner{ src: "/assets/spinning-circles.svg" }

app/views/spree/admin/shared/_routes.html.erb

@@ -3,6 +3,6 @@
     :variants_search       => spree.admin_search_variants_path(:format => 'json'),
     :taxons_search         => main_app.api_taxons_path(:format => 'json'),
     :user_search           => spree.admin_search_users_path(:format => 'json'),
-    :orders_api            => spree.api_orders_path(:format => 'json')
+    :orders_api            => main_app.api_orders_path
   }.to_json %>;
 </script>

app/views/spree/admin/taxonomies/edit.haml

@@ -17,7 +17,7 @@
       = label_tag nil, t("spree.tree")
       %br/
       :javascript
-        Spree.routes.taxonomy_taxons_path = "#{spree.api_taxonomy_taxons_path(@taxonomy)}";
+        Spree.routes.taxonomy_taxons_path = "#{main_app.api_taxonomy_taxons_path(@taxonomy)}";
         Spree.routes.admin_taxonomy_taxons_path = "#{spree.admin_taxonomy_taxons_path(@taxonomy)}";
       #taxonomy_tree.tree
     #progress{style: "display:none;"}

app/views/spree/admin/users/_api_fields.html.haml

@@ -0,0 +1,18 @@
+%fieldset.omega.six.columns
+  %legend= t('spree.api.access')
+  - if @user.spree_api_key.present?
+    .field
+      = label_tag t('spree.api.key')
+      = ":"
+      = @user.spree_api_key
+    .filter-actions.actions
+      = form_tag spree.clear_api_key_admin_user_path(@user), method: :put do
+        = button t('spree.api.clear_key'), 'icon-trash'
+      %span.or= t(:or)
+      = form_tag spree.generate_api_key_admin_user_path(@user), method: :put do
+        = button t('spree.api.regenerate_key'), 'icon-refresh'
+  - else
+    .no-objects-found= t('spree.api.no_key')
+    .filter-actions.actions
+      = form_tag spree.generate_api_key_admin_user_path(@user), method: :put do
+        = button t('spree.api.generate_key'), 'icon-key'

app/views/spree/admin/users/edit.html.haml

@@ -13,3 +13,5 @@
       = render partial: "form", locals: { f: f }
       %div{"data-hook" => "admin_user_edit_form_button"}
         = render partial: "spree/admin/shared/edit_resource_links"
+
+= render partial: 'spree/admin/users/api_fields'

app/views/spree/api/users/authorise_api.v1.rabl

@@ -1,2 +0,0 @@
-object false
-node(:success) { "Use of API Authorised" }