[api] Only show deleted variants when 1) the user is an admin and 2) …

…when they pass through the show_deleted parameter Fixes spree#2141
ceres24 · Oct 23, 2012 · 7b8e3bb · 7b8e3bb
1 parent 6f5f185
commit 7b8e3bb
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/api/app/controllers/spree/api/v1/variants_controller.rb b/api/app/controllers/spree/api/v1/variants_controller.rb
@@ -48,7 +48,23 @@ def product
           end
 
           def scope
-            @product ? @product.variants_including_master : Variant
+            if @product
+              unless current_api_user.has_spree_role?("admin") || params[:show_deleted]
+                variants = @product.variants_including_master
+              else
+                variants = @product.variants_including_master_and_deleted
+              end
+            else
+              variants = Variant.scoped
+              if current_api_user.has_spree_role?("admin")
+                unless params[:show_deleted]
+                  variants = Variant.active
+                end
+              else
+                variants = variants.active
+              end
+            end
+            variants
           end
       end
     end

diff --git a/api/spec/controllers/spree/api/v1/variants_controller_spec.rb b/api/spec/controllers/spree/api/v1/variants_controller_spec.rb
@@ -37,6 +37,23 @@ module Spree
                                                  :option_type_id])
     end
 
+    # Regression test for #2141
+    context "a deleted variant" do
+      before do
+        variant.update_column(:deleted_at, Time.now)
+      end
+
+      it "is not returned in the results" do
+        api_get :index
+        json_response["variants"].count.should == 0
+      end
+
+      it "is not returned even when show_deleted is passed" do
+        api_get :index, :show_deleted => true
+        json_response["variants"].count.should == 0
+      end
+    end
+
     context "pagination" do
       default_per_page(1)
 
@@ -86,6 +103,18 @@ module Spree
       sign_in_as_admin!
       let(:resource_scoping) { { :product_id => variant.product.to_param } }
 
+      # Test for #2141
+      context "deleted variants" do
+        before do
+          variant.update_column(:deleted_at, Time.now)
+        end
+
+        it "are visible by admin" do
+          api_get :index, :show_deleted => 1
+          json_response["variants"].count.should == 1
+        end
+      end
+
       it "can create a new variant" do
         api_post :create, :variant => { :sku => "12345" }
         json_response.should have_attributes(attributes)

diff --git a/core/app/models/spree/product.rb b/core/app/models/spree/product.rb
@@ -44,6 +44,8 @@ class Product < ActiveRecord::Base
       :conditions => { :deleted_at => nil },
       :dependent => :destroy
 
+    has_many :variants_including_master_and_deleted, :class_name => 'Spree::Variant'
+
     delegate_belongs_to :master, :sku, :price, :weight, :height, :width, :depth, :is_master
     delegate_belongs_to :master, :cost_price if Variant.table_exists? && Variant.column_names.include?('cost_price')