Class: Spree::Api::V3::Admin::MeController

Inherits:

BaseController

• Object
• ActionController::API
• BaseController
• BaseController
• Spree::Api::V3::Admin::MeController

Defined in:

app/controllers/spree/api/v3/admin/me_controller.rb

Constant Summary

Constants included from ScopedAuthorization

ScopedAuthorization::READ_ACTIONS

Constants inherited from BaseController

BaseController::RATE_LIMIT_RESPONSE

Constants included from Idempotent

Idempotent::IDEMPOTENCY_HEADER, Idempotent::IDEMPOTENCY_TTL, Idempotent::MAX_KEY_LENGTH, Idempotent::MUTATING_METHODS

Constants included from ErrorHandler

ErrorHandler::ERROR_CODES

Constants included from JwtAuthentication

JwtAuthentication::JWT_AUDIENCE_ADMIN, JwtAuthentication::JWT_AUDIENCE_STORE, JwtAuthentication::JWT_ISSUER, JwtAuthentication::USER_TYPE_ADMIN, JwtAuthentication::USER_TYPE_CUSTOMER

Instance Method Summary

• #show ⇒ Object

  GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules).

Methods included from Spree::Api::V3::ApiKeyAuthentication

#authenticate_api_key!, #authenticate_secret_key!

Methods included from JwtAuthentication

#authenticate_user, #require_authentication!

Instance Method Details

#show ⇒ Object

GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules). The SPA uses the permissions list to decide which UI elements to show or hide. The actual authorization check is still enforced server-side by CanCanCan — the SPA list is purely for UX.

This is the JWT-admin half of “describe the current credential”; the secret-key half is GET /api/v3/admin/api_keys/current (see ApiKeysController#current), which returns the key + its scopes.

A request authenticated by a secret API key has no Spree user to describe, so it gets a 404 pointing at the key endpoint rather than a 500 from serializing a nil user — mirroring how #current 404s for a JWT principal that has no single key.

# File 'app/controllers/spree/api/v3/admin/me_controller.rb', line 23

def show
  unless current_user
    return render_error(
      code: ERROR_CODES[:record_not_found],
      message: Spree.t(:me_no_current_user),
      status: :not_found
    )
  end

  render json: {
    user: admin_user_serializer.new(current_user, params: serializer_params).to_h,
    permissions: serialize_permissions(current_ability)
  }
end