Class: Spree::Api::V3::Admin::AdminUsersController

Inherits:

ResourceController

• Object
• ActionController::API
• BaseController
• ResourceController
• ResourceController
• Spree::Api::V3::Admin::AdminUsersController

Includes:

RoleGrantGuard

Defined in:

app/controllers/spree/api/v3/admin/admin_users_controller.rb

Overview

Manages staff for the current store. “Staff” = admin users with at least one ‘Spree::RoleUser` whose `resource` is the current store. The legacy controller hard-deletes the global account on destroy; this v3 endpoint instead removes the per-store `RoleUser` rows so the user keeps their account (and access to other stores).

Constant Summary

Constants included from ScopedAuthorization

ScopedAuthorization::READ_ACTIONS

Constants inherited from BaseController

BaseController::RATE_LIMIT_RESPONSE

Constants included from Idempotent

Idempotent::IDEMPOTENCY_HEADER, Idempotent::IDEMPOTENCY_TTL, Idempotent::MAX_KEY_LENGTH, Idempotent::MUTATING_METHODS

Constants included from ErrorHandler

ErrorHandler::ERROR_CODES

Constants included from JwtAuthentication

JwtAuthentication::JWT_AUDIENCE_ADMIN, JwtAuthentication::JWT_AUDIENCE_STORE, JwtAuthentication::JWT_ISSUER, JwtAuthentication::USER_TYPE_ADMIN, JwtAuthentication::USER_TYPE_CUSTOMER

Instance Method Summary

• #create ⇒ Object

  POST is not exposed — staff are created via invitations.

• #destroy ⇒ Object

  DELETE /api/v3/admin/admin_users/:id Removes role assignments for the current store rather than deleting the account globally.

• #update ⇒ Object

  PATCH allows updating identity fields and replacing the user’s roles for this store.

Methods inherited from ResourceController

#index, #show

Methods included from Spree::Api::V3::ApiKeyAuthentication

#authenticate_api_key!, #authenticate_secret_key!

Methods included from JwtAuthentication

#authenticate_user, #require_authentication!

Instance Method Details

#create ⇒ Object

POST is not exposed — staff are created via invitations.

# File 'app/controllers/spree/api/v3/admin/admin_users_controller.rb', line 16

def create
  head :method_not_allowed
end

#destroy ⇒ Object

DELETE /api/v3/admin/admin_users/:id Removes role assignments for the current store rather than deleting the account globally. The user keeps access to any other stores.

# File 'app/controllers/spree/api/v3/admin/admin_users_controller.rb', line 23

def destroy
  authorize!(:destroy, @resource)
  @resource.role_users.where(resource: current_store).destroy_all
  head :no_content
end

#update ⇒ Object

PATCH allows updating identity fields and replacing the user’s roles for this store. ‘role_ids` accepts prefixed IDs and is applied via `add_role`/`remove_role` so the change is scoped to `current_store` and never touches other-store assignments.

# File 'app/controllers/spree/api/v3/admin/admin_users_controller.rb', line 33

def update
  authorize!(:update, @resource)

  # `nil` when the key is absent (leave roles untouched); an array
  # (possibly empty, to clear) when the client sends `role_ids`.
  role_ids = role_ids_param if params.key?(:role_ids)
  return if role_ids && reject_unauthorized_role_grant!(role_ids)

  if @resource.update(identity_params)
    apply_role_ids(role_ids) if role_ids
    render json: serialize_resource(@resource)
  else
    render_validation_error(@resource.errors)
  end
end