Merge pull request #3847 from Matt-Yorkley/api_access

Allow unauthenticated access to OFN API endpoints
2026-01-24 20:36:49 +00:00 · 2019-06-12 09:45:11 +02:00
parent 568e3003ba c0a40c616b
commit fd95ae7e41
4 changed files with 21 additions and 7 deletions
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -9,6 +9,7 @@ module Api
    include ActionController::UrlFor
    include Rails.application.routes.url_helpers
    use_renderers :json
+    check_authorization

    def respond_with_conflict(json_hash)
      render json: json_hash, status: :conflict
@@ -21,5 +22,13 @@ module Api
      @current_api_user = try_spree_current_user
      super
    end
+
+    # Allows API access without authentication, but only for OFN controllers which inherit
+    # from Api::BaseController. @current_api_user will now initialize an empty Spree::User
+    # unless one is present. We now also apply devise's `check_authorization`. See here for
+    # details: https://github.com/CanCanCommunity/cancancan/wiki/Ensure-Authorization
+    def requires_authentication?
+      false
+    end
  end
 end
--- a/app/controllers/api/customers_controller.rb
+++ b/app/controllers/api/customers_controller.rb
@@ -1,5 +1,7 @@
 module Api
  class CustomersController < BaseController
+    skip_authorization_check only: :index
+
    def index
      @customers = current_api_user.customers
      render json: @customers, each_serializer: CustomerSerializer
--- a/app/controllers/api/enterprises_controller.rb
+++ b/app/controllers/api/enterprises_controller.rb
@@ -5,6 +5,7 @@ module Api
    before_filter :override_sells, only: [:create, :update]
    before_filter :override_visible, only: [:create, :update]
    respond_to :json
+    skip_authorization_check only: [:shopfront, :managed]

    def managed
      @enterprises = Enterprise.ransack(params[:q]).result.managed_by(current_api_user)
--- a/spec/controllers/api/enterprises_controller_spec.rb
+++ b/spec/controllers/api/enterprises_controller_spec.rb
@@ -82,7 +82,7 @@ module Api
      end
    end

-    describe "fetching shopfronts data" do
+    context "as a non-authenticated user" do
      let!(:hub) {
        create(:distributor_enterprise, with_payment_and_shipping: true, name: 'Shopfront Test Hub')
      }
@@ -92,15 +92,17 @@ module Api
      let!(:relationship) { create(:enterprise_relationship, parent: hub, child: producer) }

      before do
-        allow(controller).to receive(:spree_current_user) { Spree::User.anonymous! }
+        allow(controller).to receive(:spree_current_user) { nil }
      end

-      it "returns data for an enterprise" do
-        spree_get :shopfront, id: producer.id, format: :json
+      describe "fetching shopfronts data" do
+        it "returns data for an enterprise" do
+          spree_get :shopfront, id: producer.id, format: :json

-        expect(json_response['name']).to eq 'Shopfront Test Producer'
-        expect(json_response['hubs'][0]['name']).to eq 'Shopfront Test Hub'
-        expect(json_response['supplied_taxons'][0]['name']).to eq 'Fruit'
+          expect(json_response['name']).to eq 'Shopfront Test Producer'
+          expect(json_response['hubs'][0]['name']).to eq 'Shopfront Test Hub'
+          expect(json_response['supplied_taxons'][0]['name']).to eq 'Fruit'
+        end
      end
    end
  end