Class: Spree::Api::V3::Admin::MeController
- Inherits:
-
Admin::BaseController
- Object
- Admin::BaseController
- Spree::Api::V3::Admin::MeController
- Defined in:
- app/controllers/spree/api/v3/admin/me_controller.rb
Instance Method Summary collapse
-
#show ⇒ Object
GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules).
-
#update ⇒ Object
PATCH /api/v3/admin/me Self-service update of the signed-in admin's own profile (display name, admin UI language, and avatar) — it operates on
current_userdirectly, so it needs no per-record authorization.
Instance Method Details
#show ⇒ Object
GET /api/v3/admin/me Returns the current admin user along with a serialized representation of their permissions (derived from CanCanCan rules). The SPA uses the permissions list to decide which UI elements to show or hide. The actual authorization check is still enforced server-side by CanCanCan — the SPA list is purely for UX.
This is the JWT-admin half of "describe the current credential"; the secret-key half is GET /api/v3/admin/api_keys/current (see ApiKeysController#current), which returns the key + its scopes.
A request authenticated by a secret API key has no Spree user to describe, so it gets a 404 pointing at the key endpoint rather than a 500 from serializing a nil user — mirroring how #current 404s for a JWT principal that has no single key.
25 26 27 |
# File 'app/controllers/spree/api/v3/admin/me_controller.rb', line 25 def show render json: me_response end |
#update ⇒ Object
PATCH /api/v3/admin/me
Self-service update of the signed-in admin's own profile (display
name, admin UI language, and avatar) — it operates on current_user
directly, so it needs no per-record authorization. Distinct from
PATCH /admin_users/:id, which is store-scoped staff management of
other users. avatar accepts an ActiveStorage direct-upload
signed id to set the photo, or null to remove it.
36 37 38 39 40 41 42 |
# File 'app/controllers/spree/api/v3/admin/me_controller.rb', line 36 def update if current_user.update(permitted_params) render json: me_response else render_validation_error(current_user.errors) end end |