Update all locales with the latest Transifex translations

Add brakeman config

.github/workflows/brakeman-analysis.yml

@@ -0,0 +1,44 @@
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+# This section configures the trigger for the workflow. Feel free to customize depending on your convention
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-18.04
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: '2.4'
+
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json

Gemfile

@@ -65,7 +65,6 @@ gem 'haml'
 gem 'redcarpet'
 gem 'sass'
 gem 'sass-rails'
-gem 'truncate_html', '0.9.2'
 gem 'unicorn'
 
 gem 'actionpack-action_caching'

Gemfile.lock

@@ -635,7 +635,6 @@ GEM
     thread_safe (0.3.6)
     tilt (1.4.1)
     timecop (0.9.2)
-    truncate_html (0.9.2)
     tzinfo (0.3.57)
     uglifier (4.2.0)
       execjs (>= 0.3.0, < 3)
@@ -778,7 +777,6 @@ DEPENDENCIES
   test-prof
   test-unit (~> 3.3)
   timecop
-  truncate_html (= 0.9.2)
   uglifier (>= 1.0.3)
   unicorn
   unicorn-rails

README.md

@@ -33,7 +33,9 @@ We also have a [Super Admin Guide][super-admin-guide] to help with configuration
 
 ## Testing
 
-We use [BrowserStack](https://www.browserstack.com/) as a manual testing tool. BrowserStack provides open source projects with unlimited and free of charge accounts. A big thanks to them!
+If you'd like to help out with testing, please introduce yourself on the #testing channel on [Slack][slack-invite] and download the [ZenHub browser extension][zenhub] to view the development pipeline.
+
+We use [BrowserStack](https://www.browserstack.com/) as a manual testing tool. BrowserStack provides open source projects with unlimited and free of charge accounts. A big thanks to them! 
 
 ## Licence
 
@@ -45,3 +47,4 @@ Copyright (c) 2012 - 2020 Open Food Foundation, released under the AGPL licence.
 [ofn-install]: https://github.com/openfoodfoundation/ofn-install
 [super-admin-guide]: https://ofn-user-guide.gitbook.io/ofn-super-admin-guide
 [welcome-dev]: https://github.com/openfoodfoundation/openfoodnetwork/projects/27
+[zenhub]: https://www.zenhub.com/extension

app/controllers/checkout_controller.rb

@@ -5,6 +5,7 @@ require 'open_food_network/address_finder'
 class CheckoutController < Spree::StoreController
   layout 'darkswarm'
 
+  include OrderStockCheck
   include CheckoutHelper
   include OrderCyclesHelper
   include EnterprisesHelper
@@ -24,7 +25,7 @@ class CheckoutController < Spree::StoreController
 
   before_action :ensure_order_not_completed
   before_action :ensure_checkout_allowed
-  before_action :ensure_sufficient_stock_lines
+  before_action :handle_insufficient_stock
 
   before_action :associate_user
   before_action :check_authorization
@@ -77,13 +78,6 @@ class CheckoutController < Spree::StoreController
     redirect_to main_app.cart_path if @order.completed?
   end
 
-  def ensure_sufficient_stock_lines
-    if @order.insufficient_stock_lines.present?
-      flash[:error] = Spree.t(:inventory_error_flash_for_insufficient_quantity)
-      redirect_to main_app.cart_path
-    end
-  end
-
   def load_order
     @order = current_order
 

app/controllers/concerns/order_stock_check.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module OrderStockCheck
+  extend ActiveSupport::Concern
+
+  def handle_insufficient_stock
+    return if sufficient_stock?
+
+    flash[:error] = Spree.t(:inventory_error_flash_for_insufficient_quantity)
+    redirect_to main_app.cart_path
+  end
+
+  private
+
+  def sufficient_stock?
+    @sufficient_stock ||= @order.insufficient_stock_lines.blank?
+  end
+end

app/controllers/spree/paypal_controller_decorator.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 Spree::PaypalController.class_eval do
+  include OrderStockCheck
+
   before_action :enable_embedded_shopfront
   before_action :destroy_orphaned_paypal_payments, only: :confirm
   after_action :reset_order_when_complete, only: :confirm
@@ -40,6 +42,9 @@ Spree::PaypalController.class_eval do
     begin
       pp_response = provider.set_express_checkout(pp_request)
       if pp_response.success?
+        # At this point Paypal has *provisionally* accepted that the payment can now be placed,
+        # and the user will be redirected to a Paypal payment page. On completion, the user is
+        # sent back and the response is handled in the #confirm action in this controller.
         redirect_to provider.express_checkout_url(pp_response, useraction: 'commit')
       else
         flash[:error] = Spree.t('flash.generic_error', scope: 'paypal', reasons: pp_response.errors.map(&:long_message).join(" "))
@@ -51,6 +56,32 @@ Spree::PaypalController.class_eval do
     end
   end
 
+  def confirm
+    @order = current_order || raise(ActiveRecord::RecordNotFound)
+
+    # At this point the user has come back from the Paypal form, and we get one
+    # last chance to interact with the payment process before the money moves...
+    return reset_to_cart unless sufficient_stock?
+
+    @order.payments.create!({
+      source: Spree::PaypalExpressCheckout.create({
+        token: params[:token],
+        payer_id: params[:PayerID]
+      }),
+      amount: @order.total,
+      payment_method: payment_method
+    })
+    @order.next
+    if @order.complete?
+      flash.notice = Spree.t(:order_processed_successfully)
+      flash[:commerce_tracking] = "nothing special"
+      session[:order_id] = nil
+      redirect_to completion_route(@order)
+    else
+      redirect_to checkout_state_path(@order.state)
+    end
+  end
+
   def cancel
     flash[:notice] = Spree.t('flash.cancel', scope: 'paypal')
     redirect_to main_app.checkout_path
@@ -66,6 +97,10 @@ Spree::PaypalController.class_eval do
 
   private
 
+  def payment_method
+    @payment_method ||= Spree::PaymentMethod.find(params[:payment_method_id])
+  end
+
   def permit_parameters!
     params.permit(:token, :payment_method_id, :PayerID)
   end
@@ -79,6 +114,11 @@ Spree::PaypalController.class_eval do
     end
   end
 
+  def reset_to_cart
+    OrderCheckoutRestart.new(@order).call
+    handle_insufficient_stock
+  end
+
   # See #1074 and #1837 for more detail on why we need this
   # An 'orphaned' Spree::Payment is created for every call to CheckoutController#update
   # for orders that are processed using a Spree::Gateway::PayPalExpress payment method

config/initializers/secret_token.rb

@@ -3,11 +3,16 @@
 # Your secret key for verifying the integrity of signed cookies.
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks. 
-Openfoodnetwork::Application.config.secret_token = if Rails.env.development? or Rails.env.test?
+# no regular words or you'll be exposed to dictionary attacks.
+
+secret_key = if Rails.env.development? or Rails.env.test?
   ('x' * 30) # Meets basic minimum of 30 chars.
 else
   ENV["SECRET_TOKEN"]
 end
 
-Openfoodnetwork::Application.config.secret_key_base = 'ceb1eb86c50285e696f899b2e7ea306d1ec1e81fe5c7af0e5cbc238bebe3fd60f19df7b9076fab836182821ebe14e41b64bdcdb4370520dc5bb711c1bc0ae616'
+# Rails 4+ key for signing and encrypting cookies.
+Openfoodnetwork::Application.config.secret_key_base = secret_key
+
+# Legacy secret_token variable. This is still used directly for encryption.
+Openfoodnetwork::Application.config.secret_token = secret_key

config/locales/ar.yml

@@ -3492,7 +3492,7 @@ ar:
           remember_this_card: تذكر هذه البطاقة؟
     date_picker:
       format: '٪ س-٪ م-%d'
-      js_format: 'يوم-شهر-سنة'
+      js_format: 'yy-mm-dd'
     orders:
       error_flash_for_unavailable_items: "عنصر في سلة التسوق الخاصة بك أصبح غير متوفر. يرجى تحديث الكميات المحددة."
       edit:

config/locales/en_NZ.yml

@@ -289,11 +289,16 @@ en_NZ:
     create_and_add_another: "Create and Add Another"
     create: "Create"
     cancel: "Cancel"
+    resume: "Resume"
     save: "Save"
     edit: "Edit"
     update: "Update"
     delete: "Delete"
     add: "Add"
+    cut: "Cut"
+    paste: "Paste"
+    destroy: "Destroy"
+    rename: "Rename"
   admin:
     begins_at: Begins At
     begins_on: Begins On
@@ -601,6 +606,8 @@ en_NZ:
       controls:
         back_to_my_inventory: Back to my inventory
     orders:
+      edit:
+        order_sure_want_to: Are you sure you want to %{event} this order?
       invoice_email_sent: 'Invoice email has been sent'
       order_email_resent: 'Order email has been resent'
       bulk_management:
@@ -2877,6 +2884,8 @@ en_NZ:
     delete: "Delete"
     cannot_set_shipping_method_without_address: "Cannot set shipping method until customer details are provided."
     no_tracking_present: "No tracking details provided."
+    tracking: "Tracking"
+    tracking_number: "Tracking Number"
     order_total: "Order Total"
     customer_details: "Customer Details"
     customer_search: "Customer Search"
@@ -2910,6 +2919,8 @@ en_NZ:
     server: "Server"
     test_mode: "Test Mode"
     logourl: "Logourl"
+    are_you_sure_delete: "Are you sure you want to delete this record?"
+    confirm_delete: "Confirm Deletion"
     configurations: "Configurations"
     general_settings: "General Settings"
     site_name: "Site Name"

config/locales/pt_BR.yml

@@ -829,17 +829,17 @@ pt_BR:
         owner: Proprietário
         producer: Produtor
       change_type_form:
-        producer_profile: Perfil do produtor
+        producer_profile: Perfil Simples
         connect_ofn: Conecte-se através da OFB
         always_free: SEMPRE GRATUITO
         producer_description_text: Adicione os seus produtos à Open Food Brasil, permitindo que as centrais os comercialize em suas lojas.
-        producer_shop: Loja do produtor
+        producer_shop: Loja de Produtor
         sell_your_produce: 'Venda seus próprios produtos '
         producer_shop_description_text: Venda seus produtos diretamente aos compradores através da sua própria loja virtual na Open Food Brasil.
-        producer_shop_description_text2: Uma loja de produtor é apenas para o seu produto, se você quiser vender produtos produzidos por outras pessoas ou locais, selecione 'Central de produtor'.
+        producer_shop_description_text2: Uma Loja de Produtor vende ou distribui apenas produtos próprios. Se você quiser vender produtos produzidos por outras pessoas ou iniciativas, selecione 'Central de Produtor'.
         producer_hub: Central de produtor
         producer_hub_text: Comercialize seus próprios produtos e de outros produtores
-        producer_hub_description_text: Sua iniciativa é a espinha dorsal do seu sistema de produção e consumo local. Você pode comercializar seus próprios bens, assim como produtos agregados de outras iniciativas e produtores, através da sua loja na Open Food Brasil.
+        producer_hub_description_text: Escolha este tipo de perfil se a sua iniciativa funciona como um intermediário, ou seja, ela vende / distribui produtos seus e de outros produtores também
         profile: Perfil Simples
         get_listing: Obter uma listagem
         profile_description_text: As pessoas podem te encontrar e te contactar na Open Food Brasil. Sua iniciativa estará visível no mapa e poderá ser encontrada em buscas.
@@ -874,7 +874,7 @@ pt_BR:
         next_step: Próximo passo
         choose_starting_point: 'Escolha o seu tipo de perfil:'
         profile: 'Perfil'
-        producer_profile: 'Perfil do produtor'
+        producer_profile: 'Perfil Simples'
       invite_manager:
         user_already_exists: "Usuário já existe"
         error: "Algo deu errado"
@@ -1015,10 +1015,10 @@ pt_BR:
       unitsize: Unidade de Medida
       total: TOTAL
       total_items: TOTAL DE ITEMS
-      supplier_totals: Total do fornecedor do ciclo de pedidos
-      supplier_totals_by_distributor: Total do fornecedor do ciclo de pedidos por distribuidor
-      totals_by_supplier: Total do distribuidor do ciclo da pedidos pelo fornecedor
-      customer_totals: Total do consumidor do ciclo de pedidos
+      supplier_totals: 'Fechamento do Ciclo: por Fornecedor'
+      supplier_totals_by_distributor: 'Fechamento do Ciclo: por Fornecedor / Distribuidor'
+      totals_by_supplier: 'Fechamento do Ciclo: por Distribuidor / Fornecedor'
+      customer_totals: 'Fechamento do Ciclo: por Consumidor'
       all_products: Todos os produtos
       inventory: Inventário (disponível)
       lettuce_share: LettuceShare
@@ -1198,8 +1198,8 @@ pt_BR:
       mobile_menu:
         cart: "Carrinho"
     register_call:
-      selling_on_ofn: "Interessado em registrar a sua iniciativa na Open Food Brasil?"
-      register: "Registre-se aqui"
+      selling_on_ofn: "Quer fazer parte da Open Food Brasil?"
+      register: "Registre aqui a sua iniciativa"
     footer:
       footer_secure: "Seguro e confiável."
       footer_secure_text: "A Open Food Brasil utiliza a criptografia SSL (2048 bit RSA) para manter suas informações em segurança. Nossos servidores não guardam os detalhes do seu cartão de crédito e os pagamentos são processados por serviços compatíveis com PCI."
@@ -1812,7 +1812,7 @@ pt_BR:
     steps:
       introduction:
         registration_greeting: "Olá!"
-        registration_intro: "Você pode criar um perfil de produtor ou central"
+        registration_intro: "Vamos criar um perfil para a sua iniciativa? "
         registration_checklist: "O que eu preciso?"
         registration_time: "5-10 minutos"
         registration_enterprise_address: "Endereço da iniciativa"
@@ -1822,14 +1822,14 @@ pt_BR:
         registration_about_us: "'Sobre Nós'"
         registration_outcome_headline: "O que eu ganho?"
         registration_outcome1_html: "Seu perfil ajuda as pessoas a te <strong>encontrarem</strong> e entrarem em <strong>contato</strong> com você na Open Food Brasil."
-        registration_outcome2: "Use esse espaço para contar a história da sua iniciativa e ajudar a impulsionar as conexões com sua presença social e online."
-        registration_outcome3: "Esse é também o primeiro passo para começar a comercializar na Open Food Brasil, ou abrir uma loja online."
+        registration_outcome2: "Use esse espaço para contar a história da sua iniciativa e divulgar o seu trabalho."
+        registration_outcome3: "Esse é também o primeiro passo para começar a fornecer ou comercializar seus produtos na Open Food Brasil."
         registration_action: "Vamos começar!"
       details:
         title: "Detalhes"
         headline: "Vamos começar"
-        enterprise: "Woot! Primeiro, você precisa conhecer um pouco da sua empresa:"
-        producer: "Primeiro precisamos saber mais sobre sua produção:"
+        enterprise: "Boa! Primeiro, precisamos saber um pouco mais sobre a sua iniciativa:"
+        producer: "Boa! Primeiro, precisamos saber um pouco mais sobre a sua produção:"
         enterprise_name_field: "Nome da iniciativa:"
         producer_name_field: "Nome da Produção"
         producer_name_field_placeholder: "ex. Fazenda da Nina"
@@ -1863,9 +1863,9 @@ pt_BR:
         yes_producer: "Sim, sou um produtor"
         no_producer: "Não, não sou um produtor"
         producer_field_error: "Por favor escolha um. Você é um produtor?"
-        yes_producer_help: "Produtores fazem coisas deliciosas de comer e beber. "
+        yes_producer_help: "Produtores são aqueles que cultivam, colhem, beneficiam, cozinham, preparam e produzem alimentos e/ou produtos artesanais. "
         no_producer_help: "Se você não é um produtor, você provavelmente é alguém que vende e distribui alimentos. Você pode ser uma cooperativa, grupo de consumo, varejista, atacadista ou outro. Nos referimos a você como central, já que centraliza pessoas e produtos, independente do modelo organizacional. "
-        create_profile: "Crir perfil"
+        create_profile: "Criar perfil"
       about:
         title: "Sobre"
         headline: "Boa!"
@@ -2468,15 +2468,14 @@ pt_BR:
           profile_only_text3: >
               Adicione seus produtos à Open Food Brasil, permitindo que as centrais
               armazenem seus produtos em suas lojas.
-          producer_shop: Loja do produtor
+          producer_shop: Loja de Produtor
           producer_shop_text1: >
               Venda os seus produtos diretamente aos compradores através da sua própria
               loja na Open Food Brasil.
           producer_shop_text2: >
-              Uma loja de produtor é individual, somente para comercialização de produtos
-              feitos por você. Se quiser vender bens produzidos em outros lugares
-              e/ou pessoas, para além dos seus próprios, por favor selecione 'Central
-              de Produtor'.
+              Uma Loja de Produtor comercializa ou distribui somente produções próprias.
+              Se quiser movimentar bens produzidos por outras pessoas ou iniciativas,
+              além dos seus próprios, por favor selecione 'Central de Produtor'.
           producer_hub: Central de produtor
           producer_hub_text1: >
               A sua iniciativa é a espinha dorsal do seu sistema de produção e consumo
@@ -2498,8 +2497,8 @@ pt_BR:
         enterprise_producer:
           producer: Produtor
           producer_text1: >
-              Os produtores fazem coisas deliciosas para comer ou beber. Você é um
-              produtor se você cultiva, cria, prepara, cozinha, fermenta, ou ordenha.
+              Produtores são aqueles que cultivam, colhem, beneficiam, cozinham, preparam
+              e produzem alimentos e/ou produtos artesanais.
           producer_text2: >
               Os produtores também podem desempenhar outras funções, como agregar
               alimentos de outras iniciativas e vendê-lo através de uma loja da Open

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20200912190210) do
+ActiveRecord::Schema.define(version: 20201113163227) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"

docker/README.md

@@ -49,6 +49,7 @@ If you are using Windows and having issues related to the ruby-build not finding
 * docker/build: This script builds the Docker containers specified for this app, seeds the database, and logs the screen output for these operations.  After you use "git clone" to download this repository, run the docker/build script to start the setup process.
 * docker/server: Use this script to run this app in the Rails server.  This script executes the "docker-compose up" command and logs the results.  If all goes well, you will be able to view this app on your local browser at http://localhost:3000/.
 * docker/test: Use this script to run the entire test suite.
+* docker/qtest: Use this script to run the entire test suite in quiet mode.  The deprecation warnings are removed to make the test results easier to read.
 * docker/run: Use this script to run commands within the Docker container.  If you want shell access, enter "docker/run bash".  To execute "ls -l" within the Docker container, enter "docker/run ls -l".
 * docker/seed: Use this script to seed the database.  Please note that this process is not compatible with simultaneously running the Rails server or tests.
 * docker/nuke: Use this script to delete all Docker images and containers.  This fully resets your Docker setup and is useful for making sure that the setup procedure specified for this app is complete.

docker/qtest

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+# This script runs the entire test suite AND logs the screen output.
+# This is the quiet version of docker/test.
+# The deprecation warnings that obscure the test results are omitted.
+
+DATE=`date +%Y%m%d-%H%M%S-%3N`
+docker/qtest-log 2>&1 | tee log/qtest-$DATE.log

docker/qtest-log

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+echo '--------------------------------------------------------------'
+echo 'BEGIN: docker-compose run web bundle exec rake db:test:prepare'
+echo '--------------------------------------------------------------'
+docker-compose run web bundle exec rake db:test:prepare
+echo '------------------------------------------------------------'
+echo 'END: docker-compose run web bundle exec rake db:test:prepare'
+echo '------------------------------------------------------------'
+
+echo '--------------------------------------'
+echo 'BEGIN: running test suite (quiet mode)'
+echo '--------------------------------------'
+docker-compose run web bundle exec rspec spec | grep -v 'DEPRECATION WARNING' | grep -v 'Post.includes(:comments)' | grep -v 'Currently, Active Record recognizes the table in the string' | grep -v "If you don't rely on implicit join references"
+echo '------------------------------------'
+echo 'END: running test suite (quiet mode)'
+echo '------------------------------------'

lib/tasks/subscriptions/debug.rake

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/BlockLength
+namespace :ofn do
+  namespace :subs do
+    namespace :debug do
+      desc "Print standard info about a specific Order Cycle"
+      task order_cycle: :environment do
+        order_cycle_id = request_order_cycle_id
+
+        order_cycle = OrderCycle.find_by(id: order_cycle_id)
+        puts "Order Cycle #{order_cycle.name}"
+        order_cycle.schedules.each do |schedule|
+          puts "Schedule #{schedule.name}"
+          Subscription.where(schedule_id: schedule.id).each do |subscription|
+            puts
+            puts "Subscription #{subscription.id}"
+            puts subscription.shop.name
+            puts subscription.customer.email
+            puts subscription.payment_method.name
+            puts "Active from #{subscription.begins_at} to #{subscription.ends_at}"
+            puts "Last edited on #{subscription.updated_at}"
+            puts "Canceled at #{subscription.canceled_at} and paused at #{subscription.paused_at}"
+
+            ProxyOrder.where(order_cycle_id: order_cycle_id,
+                             subscription_id: subscription.id).each do |proxy_order|
+              puts
+              puts "Proxy Order #{proxy_order.id}"
+              puts "Canceled at #{proxy_order.canceled_at}"
+              puts "Last updated at #{proxy_order.updated_at}"
+              puts "Placed at #{proxy_order.placed_at}"
+              puts "Confirmed at #{proxy_order.confirmed_at}"
+
+              puts
+              puts "Order #{proxy_order.order_id} - #{proxy_order.order.number}"
+              puts "Order is #{proxy_order.order.state} with total #{proxy_order.order.total}"
+              proxy_order.order.payments.each do |payment|
+                puts "Payment #{payment.id} with state #{payment.state}"
+                puts "Amount #{payment.amount}"
+                puts "Source #{payment.source_type} #{payment.source_id}"
+                if payment.source_type == "Spree::CreditCard"
+                  puts "Source #{payment.source.to_json}"
+                end
+                Spree::LogEntry.where(source_type: "Spree::Payment",
+                                      source_id: payment.id).each do |log_entry|
+                  puts "Log Entries found"
+                  puts log_entry.details
+                end
+              end
+            end
+          end
+        end
+      end
+
+      def request_order_cycle_id
+        puts "Please input Order Cycle ID to debug"
+        input = STDIN.gets.chomp
+        exit if input.blank? || !Integer(input)
+        Integer(input)
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/BlockLength

spec/controllers/spree/paypal_controller_spec.rb

@@ -27,6 +27,23 @@ module Spree
         spree_post :confirm, payment_method_id: payment_method.id
         expect(session[:access_token]).to eq(controller.current_order.token)
       end
+
+      context "if the stock ran out whilst the payment was being placed" do
+        before do
+          allow(controller.current_order).to receive(:insufficient_stock_lines).and_return(true)
+        end
+
+        it "redirects to the cart with out of stock error" do
+          expect(spree_post(:confirm, payment_method_id: payment_method.id)).
+            to redirect_to cart_path
+
+          order = controller.current_order.reload
+
+          # Order is in "cart" state and did not complete processing of the payment
+          expect(order.state).to eq "cart"
+          expect(order.payments.count).to eq 0
+        end
+      end
     end
 
     describe '#expire_current_order' do

spec/features/consumer/shopping/checkout_paypal_spec.rb

@@ -3,6 +3,8 @@ require "spec_helper"
 feature "Check out with Paypal", js: true do
   include ShopWorkflow
   include CheckoutHelper
+  include AuthenticationHelper
+  include PaypalHelper
 
   let(:distributor) { create(:distributor_enterprise) }
   let(:supplier) { create(:supplier_enterprise) }
@@ -34,6 +36,7 @@ feature "Check out with Paypal", js: true do
       distributor_ids: [distributor.id]
     )
   end
+  let(:user) { create(:user) }
 
   before do
     distributor.shipping_methods << free_shipping
@@ -41,23 +44,43 @@ feature "Check out with Paypal", js: true do
     add_product_to_cart order, product
   end
 
-  describe "as a guest" do
+  context "as a guest" do
     it "fails with an error message" do
       visit checkout_path
       checkout_as_guest
       fill_out_form(free_shipping.name, paypal.name, save_default_addresses: false)
 
-      paypal_response = double(:response, success?: false, errors: [])
-      paypal_provider = double(
-        :provider,
-        build_set_express_checkout: nil,
-        set_express_checkout: paypal_response
-      )
-      allow_any_instance_of(Spree::PaypalController).to receive(:provider).
-        and_return(paypal_provider)
+      stub_paypal_response success: false
 
       place_order
       expect(page).to have_content "PayPal failed."
     end
   end
+
+  context "as a registered user" do
+    before { login_as user }
+
+    it "completes the checkout after successful Paypal payment" do
+      visit checkout_path
+      fill_out_details
+      fill_out_form(free_shipping.name, paypal.name, save_default_addresses: false)
+
+      # Normally the checkout would redirect to Paypal, a form would be filled out there, and the
+      # user would be redirected back to #confirm_paypal_path. Here we skip the PayPal part and
+      # jump straight to being redirected back to OFN with a "confirmed" payment.
+      stub_paypal_response(
+        success: true,
+        redirect: spree.confirm_paypal_path(
+          payment_method_id: paypal.id, token: "t123", PayerID: 'p123'
+        )
+      )
+      stub_paypal_confirm
+
+      place_order
+      expect(page).to have_content "Your order has been processed successfully"
+
+      expect(order.reload.state).to eq "complete"
+      expect(order.payments.count).to eq 1
+    end
+  end
 end

spec/requests/checkout/paypal_spec.rb

@@ -2,6 +2,7 @@ require 'spec_helper'
 
 describe "checking out an order with a paypal express payment method", type: :request do
   include ShopWorkflow
+  include PaypalHelper
 
   let!(:address) { create(:address) }
   let!(:shop) { create(:enterprise) }
@@ -25,18 +26,6 @@ describe "checking out an order with a paypal express payment method", type: :re
     )
   end
   let(:params) { { token: 'lalalala', PayerID: 'payer1', payment_method_id: payment_method.id } }
-  let(:mocked_xml_response) {
-    "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
-    <Envelope><Body>
-      <GetExpressCheckoutDetailsResponse>
-        <Ack>Success</Ack>
-        <PaymentDetails>Something</PaymentDetails>
-        <DoExpressCheckoutPaymentResponseDetails>
-          <PaymentInfo><TransactionID>s0metran$act10n</TransactionID></PaymentInfo>
-        </DoExpressCheckoutPaymentResponseDetails>
-      </GetExpressCheckoutDetailsResponse>
-    </Body></Envelope>"
-  }
 
   before do
     order.reload.update_totals
@@ -45,8 +34,7 @@ describe "checking out an order with a paypal express payment method", type: :re
     expect(order.next).to be true # => payment
     set_order order
 
-    stub_request(:post, "https://api-3t.sandbox.paypal.com/2.0/")
-      .to_return(status: 200, body: mocked_xml_response )
+    stub_paypal_confirm
   end
 
   context "with a flat percent calculator" do

spec/support/request/paypal_helper.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module PaypalHelper
+  # Initial request to confirm the payment can be placed (before redirecting to paypal)
+  def stub_paypal_response(options)
+    paypal_response = double(:response, success?: options[:success], errors: [])
+    paypal_provider = double(
+      :provider,
+      build_set_express_checkout: nil,
+      set_express_checkout: paypal_response,
+      express_checkout_url: options[:redirect]
+    )
+    allow_any_instance_of(Spree::PaypalController).to receive(:provider).
+      and_return(paypal_provider)
+  end
+
+  # Additional request to re-confirm the payment, when the order is finalised.
+  def stub_paypal_confirm
+    stub_request(:post, "https://api-3t.sandbox.paypal.com/2.0/")
+      .to_return(status: 200, body: mocked_xml_response )
+  end
+
+  private
+
+  def mocked_xml_response
+    "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+    <Envelope><Body>
+      <GetExpressCheckoutDetailsResponse>
+        <Ack>Success</Ack>
+        <PaymentDetails>Something</PaymentDetails>
+        <DoExpressCheckoutPaymentResponseDetails>
+          <PaymentInfo><TransactionID>s0metran$act10n</TransactionID></PaymentInfo>
+        </DoExpressCheckoutPaymentResponseDetails>
+      </GetExpressCheckoutDetailsResponse>
+    </Body></Envelope>"
+  end
+end