From 74d7db9fba41dd60686e95be0fa6e3e7bf18219e Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Fri, 10 May 2019 19:37:32 +0100
Subject: [PATCH 1/2] Allow unauthenticated access to enterprise API endpoints

---
 app/controllers/api/enterprises_controller.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/app/controllers/api/enterprises_controller.rb b/app/controllers/api/enterprises_controller.rb
index 666eb0b034..39273be6a7 100644
--- a/app/controllers/api/enterprises_controller.rb
+++ b/app/controllers/api/enterprises_controller.rb
@@ -77,5 +77,12 @@ module Api
     def override_visible
       params[:enterprise][:visible] = false
     end
+
+    # Allows API access without a logged in user for actions in this controller.
+    # Actions that require authentication should all use #authorize!
+    # @current_api_user will now initialize an empty Spree::User unless one is present.
+    def requires_authentication?
+      false
+    end
   end
 end

From c0a40c616b1b41030b0129d920f6022c13f7a9c0 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Tue, 28 May 2019 21:22:29 +0100
Subject: [PATCH 2/2] Use devise's `check_authorization` and
 `skip_authorization_check`

---
 app/controllers/api/base_controller.rb           |  9 +++++++++
 app/controllers/api/customers_controller.rb      |  2 ++
 app/controllers/api/enterprises_controller.rb    |  9 +--------
 .../api/enterprises_controller_spec.rb           | 16 +++++++++-------
 4 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 0187315d89..8a1b3e4b02 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -9,6 +9,7 @@ module Api
     include ActionController::UrlFor
     include Rails.application.routes.url_helpers
     use_renderers :json
+    check_authorization
 
     def respond_with_conflict(json_hash)
       render json: json_hash, status: :conflict
@@ -21,5 +22,13 @@ module Api
       @current_api_user = try_spree_current_user
       super
     end
+
+    # Allows API access without authentication, but only for OFN controllers which inherit
+    # from Api::BaseController. @current_api_user will now initialize an empty Spree::User
+    # unless one is present. We now also apply devise's `check_authorization`. See here for
+    # details: https://github.com/CanCanCommunity/cancancan/wiki/Ensure-Authorization
+    def requires_authentication?
+      false
+    end
   end
 end
diff --git a/app/controllers/api/customers_controller.rb b/app/controllers/api/customers_controller.rb
index cbbe4ce35f..a06effb17f 100644
--- a/app/controllers/api/customers_controller.rb
+++ b/app/controllers/api/customers_controller.rb
@@ -1,5 +1,7 @@
 module Api
   class CustomersController < BaseController
+    skip_authorization_check only: :index
+
     def index
       @customers = current_api_user.customers
       render json: @customers, each_serializer: CustomerSerializer
diff --git a/app/controllers/api/enterprises_controller.rb b/app/controllers/api/enterprises_controller.rb
index 39273be6a7..fd40de5704 100644
--- a/app/controllers/api/enterprises_controller.rb
+++ b/app/controllers/api/enterprises_controller.rb
@@ -1,11 +1,11 @@
 module Api
   class EnterprisesController < BaseController
-
     before_filter :override_owner, only: [:create, :update]
     before_filter :check_type, only: :update
     before_filter :override_sells, only: [:create, :update]
     before_filter :override_visible, only: [:create, :update]
     respond_to :json
+    skip_authorization_check only: [:shopfront, :managed]
 
     def managed
       @enterprises = Enterprise.ransack(params[:q]).result.managed_by(current_api_user)
@@ -77,12 +77,5 @@ module Api
     def override_visible
       params[:enterprise][:visible] = false
     end
-
-    # Allows API access without a logged in user for actions in this controller.
-    # Actions that require authentication should all use #authorize!
-    # @current_api_user will now initialize an empty Spree::User unless one is present.
-    def requires_authentication?
-      false
-    end
   end
 end
diff --git a/spec/controllers/api/enterprises_controller_spec.rb b/spec/controllers/api/enterprises_controller_spec.rb
index df8ba4fc38..d2b27c1254 100644
--- a/spec/controllers/api/enterprises_controller_spec.rb
+++ b/spec/controllers/api/enterprises_controller_spec.rb
@@ -82,7 +82,7 @@ module Api
       end
     end
 
-    describe "fetching shopfronts data" do
+    context "as a non-authenticated user" do
       let!(:hub) {
         create(:distributor_enterprise, with_payment_and_shipping: true, name: 'Shopfront Test Hub')
       }
@@ -92,15 +92,17 @@ module Api
       let!(:relationship) { create(:enterprise_relationship, parent: hub, child: producer) }
 
       before do
-        allow(controller).to receive(:spree_current_user) { Spree::User.anonymous! }
+        allow(controller).to receive(:spree_current_user) { nil }
       end
 
-      it "returns data for an enterprise" do
-        spree_get :shopfront, id: producer.id, format: :json
+      describe "fetching shopfronts data" do
+        it "returns data for an enterprise" do
+          spree_get :shopfront, id: producer.id, format: :json
 
-        expect(json_response['name']).to eq 'Shopfront Test Producer'
-        expect(json_response['hubs'][0]['name']).to eq 'Shopfront Test Hub'
-        expect(json_response['supplied_taxons'][0]['name']).to eq 'Fruit'
+          expect(json_response['name']).to eq 'Shopfront Test Producer'
+          expect(json_response['hubs'][0]['name']).to eq 'Shopfront Test Hub'
+          expect(json_response['supplied_taxons'][0]['name']).to eq 'Fruit'
+        end
       end
     end
   end