Class: Spree::Api::V3::Admin::MeController

Inherits:
Admin::BaseController
  • Object
show all
Defined in:
app/controllers/spree/api/v3/admin/me_controller.rb

Instance Method Summary collapse

Instance Method Details

#showObject

GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules). The SPA uses the permissions list to decide which UI elements to show or hide. The actual authorization check is still enforced server-side by CanCanCan — the SPA list is purely for UX.

This is the JWT-admin half of "describe the current credential"; the secret-key half is GET /api/v3/admin/api_keys/current (see ApiKeysController#current), which returns the key + its scopes.

A request authenticated by a secret API key has no Spree user to describe, so it gets a 404 pointing at the key endpoint rather than a 500 from serializing a nil user — mirroring how #current 404s for a JWT principal that has no single key.



25
26
27
# File 'app/controllers/spree/api/v3/admin/me_controller.rb', line 25

def show
  render json: me_response
end

#updateObject

PATCH /api/v3/admin/me Self-service update of the signed-in admin's own profile (display name, admin UI language, and avatar) — it operates on current_user directly, so it needs no per-record authorization. Distinct from PATCH /admin_users/:id, which is store-scoped staff management of other users. avatar accepts an ActiveStorage direct-upload signed id to set the photo, or null to remove it.



36
37
38
39
40
41
42
# File 'app/controllers/spree/api/v3/admin/me_controller.rb', line 36

def update
  if current_user.update(permitted_params)
    render json: me_response
  else
    render_validation_error(current_user.errors)
  end
end