Add back required api actions (create, update and destroy) and add AMS serializers for the jstree action

app/controllers/api/taxons_controller.rb

@@ -17,13 +17,44 @@ module Api
       render json: @taxons, each_serializer: Api::TaxonSerializer
     end
 
-    def show
+    def jstree
       @taxon = taxon
-      render json: @taxon, serializer: Api::TaxonSerializer
+      render json: @taxon.children, each_serializer: Api::TaxonJstreeSerializer
     end
 
-    def jstree
-      show
+    def create
+      authorize! :create, Spree::Taxon
+      @taxon = Spree::Taxon.new(params[:taxon])
+      @taxon.taxonomy_id = params[:taxonomy_id]
+      taxonomy = Spree::Taxonomy.find_by_id(params[:taxonomy_id])
+
+      if taxonomy.nil?
+        @taxon.errors[:taxonomy_id] = I18n.t(:invalid_taxonomy_id, scope: 'spree.api')
+        invalid_resource!(@taxon) && return
+      end
+
+      @taxon.parent_id = taxonomy.root.id unless params[:taxon][:parent_id]
+
+      if @taxon.save
+        render json: @taxon, serializer: Api::TaxonSerializer, status: :created
+      else
+        invalid_resource!(@taxon)
+      end
+    end
+
+    def update
+      authorize! :update, Spree::Taxon
+      if taxon.update_attributes(params[:taxon])
+        render json: taxon, serializer: Api::TaxonSerializer, status: :ok
+      else
+        invalid_resource!(taxon)
+      end
+    end
+
+    def destroy
+      authorize! :delete, Spree::Taxon
+      taxon.destroy
+      render json: taxon, serializer: Api::TaxonSerializer, status: :no_content
     end
 
     private

app/serializers/api/taxon_jstree_attribute_serializer.rb

@@ -0,0 +1,5 @@
+module Api
+  class TaxonJstreeAttributeSerializer < ActiveModel::Serializer
+    attributes :id, :name
+  end
+end

app/serializers/api/taxon_jstree_serializer.rb

@@ -0,0 +1,18 @@
+module Api
+  class TaxonJstreeSerializer < ActiveModel::Serializer
+    attributes :data, :state
+    has_one :attr, serializer: TaxonJstreeAttributeSerializer
+
+    def data
+      object.name
+    end
+
+    def attr
+      object
+    end
+
+    def state
+      "closed"
+    end
+  end
+end

spec/controllers/api/taxons_controller_spec.rb

@@ -25,22 +25,12 @@ describe Api::TaxonsController do
       api_get :index, taxonomy_id: taxonomy.id
 
       expect(json_response.first['name']).to eq taxon.name
-
-      children = json_response.first['taxons']
-      expect(children.count).to eq 1
-      expect(children.first['name']).to eq taxon2.name
-      expect(children.first['taxons'].count).to eq 1
     end
 
     it "gets all taxons" do
       api_get :index
 
       expect(json_response.first['name']).to eq taxonomy.root.name
-
-      children = json_response.first['taxons']
-      expect(children.count).to eq 1
-      expect(children.first['name']).to eq taxon.name
-      expect(children.first['taxons'].count).to eq 1
     end
 
     it "can search for a single taxon" do
@@ -50,13 +40,6 @@ describe Api::TaxonsController do
       expect(json_response.first['name']).to eq "Ruby"
     end
 
-    it "gets a single taxon" do
-      api_get :show, id: taxon.id, taxonomy_id: taxonomy.id
-
-      expect(json_response['name']).to eq taxon.name
-      expect(json_response['taxons'].count).to eq 1
-    end
-
     it "gets all taxons in JSTree form" do
       api_get :jstree, taxonomy_id: taxonomy.id, id: taxon.id
 
@@ -65,5 +48,70 @@ describe Api::TaxonsController do
       response["attr"].should eq("name" => taxon2.name, "id" => taxon2.id)
       response["state"].should eq("closed")
     end
+
+    it "cannot create a new taxon if not an admin" do
+      api_post :create, taxonomy_id: taxonomy.id, taxon: { name: "Location" }
+
+      assert_unauthorized!
+    end
+
+    it "cannot update a taxon" do
+      api_put :update, taxonomy_id: taxonomy.id,
+                       id: taxon.id,
+                       taxon: { name: "I hacked your store!" }
+
+      assert_unauthorized!
+    end
+
+    it "cannot delete a taxon" do
+      api_delete :destroy, taxonomy_id: taxonomy.id, id: taxon.id
+
+      assert_unauthorized!
+    end
   end
+
+  context "as an admin" do
+    let(:current_api_user) { build(:admin_user) }
+
+    it "can create" do
+      api_post :create, taxonomy_id: taxonomy.id, taxon: { name: "Colors" }
+
+      expect(attributes.all? { |a| json_response.include? a }).to be true
+      expect(response.status).to eq(201)
+
+      expect(taxonomy.reload.root.children.count).to eq 2
+
+      expect(Spree::Taxon.last.parent_id).to eq taxonomy.root.id
+      expect(Spree::Taxon.last.taxonomy_id).to eq taxonomy.id
+    end
+
+    it "cannot create a new taxon with invalid attributes" do
+      api_post :create, taxonomy_id: taxonomy.id, taxon: {}
+
+      expect(response.status).to eq(422)
+      expect(json_response["error"]).to eq("Invalid resource. Please fix errors and try again.")
+      errors = json_response["errors"]
+
+      expect(taxonomy.reload.root.children.count).to eq 1
+    end
+
+    it "cannot create a new taxon with invalid taxonomy_id" do
+      api_post :create, taxonomy_id: 1000, taxon: { name: "Colors" }
+
+      expect(response.status).to eq(422)
+      expect(json_response["error"]).to eq("Invalid resource. Please fix errors and try again.")
+
+      errors = json_response["errors"]
+      expect(errors["taxonomy_id"]).not_to be_nil
+      expect(errors["taxonomy_id"].first).to eq "Invalid taxonomy id."
+
+      expect(taxonomy.reload.root.children.count).to eq 1
+    end
+
+    it "can destroy" do
+      api_delete :destroy, taxonomy_id: taxonomy.id, id: taxon2.id
+
+      expect(response.status).to eq(204)
+    end
+  end  
 end