Class: Spree::Api::V3::Admin::MeController

Inherits:

Admin::BaseController

Object
Admin::BaseController
Spree::Api::V3::Admin::MeController

show all

Defined in:: app/controllers/spree/api/v3/admin/me_controller.rb

Instance Method Summary collapse

#show ⇒ Object
GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules).

Instance Method Details

#show ⇒ `Object`

GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules). The SPA uses the permissions list to decide which UI elements to show or hide. The actual authorization check is still enforced server-side by CanCanCan — the SPA list is purely for UX.

This is the JWT-admin half of "describe the current credential"; the secret-key half is GET /api/v3/admin/api_keys/current (see ApiKeysController#current), which returns the key + its scopes.

A request authenticated by a secret API key has no Spree user to describe, so it gets a 404 pointing at the key endpoint rather than a 500 from serializing a nil user — mirroring how #current 404s for a JWT principal that has no single key.

# File 'app/controllers/spree/api/v3/admin/me_controller.rb', line 23

def show
  unless current_user
    return render_error(
      code: ERROR_CODES[:record_not_found],
      message: Spree.t(:me_no_current_user),
      status: :not_found
    )
  end

  render json: {
    user: admin_user_serializer.new(current_user, params: serializer_params).to_h,
    permissions: serialize_permissions(current_ability)
  }
end

Class: Spree::Api::V3::Admin::MeController

Instance Method Summary collapse

Instance Method Details

#show ⇒ Object

#show ⇒ `Object`