Class: Spree::Api::V3::Admin::InvitationsController

Inherits:

ResourceController

• Object
• ActionController::API
• BaseController
• ResourceController
• ResourceController
• Spree::Api::V3::Admin::InvitationsController

Includes:

RoleGrantGuard

Defined in:

app/controllers/spree/api/v3/admin/invitations_controller.rb

Overview

Manages staff invitations for the current store. Each invitation carries an email + role; on accept, a ‘Spree::RoleUser` is created via the invitation’s ‘after_accept` callback and the invitee becomes a member of the staff list for this store.

Constant Summary

Constants included from ScopedAuthorization

ScopedAuthorization::READ_ACTIONS

Constants inherited from BaseController

BaseController::RATE_LIMIT_RESPONSE

Constants included from Idempotent

Idempotent::IDEMPOTENCY_HEADER, Idempotent::IDEMPOTENCY_TTL, Idempotent::MAX_KEY_LENGTH, Idempotent::MUTATING_METHODS

Constants included from ErrorHandler

ErrorHandler::ERROR_CODES

Constants included from JwtAuthentication

JwtAuthentication::JWT_AUDIENCE_ADMIN, JwtAuthentication::JWT_AUDIENCE_STORE, JwtAuthentication::JWT_ISSUER, JwtAuthentication::USER_TYPE_ADMIN, JwtAuthentication::USER_TYPE_CUSTOMER

Instance Method Summary

• #create ⇒ Object

  POST /api/v3/admin/invitations Guards against inviting a new staff member straight into the admin super-role unless the inviter already holds it.

• #resend ⇒ Object

  PATCH /api/v3/admin/invitations/:id/resend Issues a fresh token + email for an existing pending invitation.

• #update ⇒ Object

  Invitations are immutable post-create — UI calls ‘resend` for token rotation, `destroy` to revoke.

Methods inherited from ResourceController

#destroy, #index, #show

Methods included from Spree::Api::V3::ApiKeyAuthentication

#authenticate_api_key!, #authenticate_secret_key!

Methods included from JwtAuthentication

#authenticate_user, #require_authentication!

Instance Method Details

#create ⇒ Object

POST /api/v3/admin/invitations Guards against inviting a new staff member straight into the admin super-role unless the inviter already holds it.

# File 'app/controllers/spree/api/v3/admin/invitations_controller.rb', line 17

def create
  return if reject_unauthorized_role_grant!(Array(permitted_params[:role_id]))

  super
end

#resend ⇒ Object

PATCH /api/v3/admin/invitations/:id/resend Issues a fresh token + email for an existing pending invitation. The model’s ‘resend!` is responsible for resetting `expires_at` and dispatching the mailer.

# File 'app/controllers/spree/api/v3/admin/invitations_controller.rb', line 27

def resend
  @resource = find_resource
  authorize!(:update, @resource)

  @resource.resend!
  render json: serialize_resource(@resource)
end

#update ⇒ Object

Invitations are immutable post-create — UI calls ‘resend` for token rotation, `destroy` to revoke. Clearing the action set keeps the surface honest if a client ever fires PATCH directly.

# File 'app/controllers/spree/api/v3/admin/invitations_controller.rb', line 38

def update
  head :method_not_allowed
end