#465: Update Api::V1::ProductsController

app/controllers/api/v1/products_controller.rb

@@ -2,10 +2,10 @@ class Api::V1::ProductsController < Api::V1::BaseController
   before_action :authenticate_user!
   skip_before_action :authenticate_user!, only: [:index, :show] if APP_CONFIG['anonymous_access']
 
-  load_and_authorize_resource
+  before_action :load_product, except: :create
 
   def create
-    create_subject @product
+    create_subject @product = Product.new(params[:product])
   end
 
   def update
@@ -13,10 +13,17 @@ class Api::V1::ProductsController < Api::V1::BaseController
   end
 
   def show
-    respond_to :json
   end
 
   def destroy
     destroy_subject @product
   end
+
+  private
+
+  # Private: before_action hook which loads Product.
+  def load_product
+    authorize @product = Product.find(params[:id])
+  end
+
 end

app/policies/product_policy.rb

@@ -10,6 +10,7 @@ class ProductPolicy < ApplicationPolicy
   alias_method :read?, :show?
 
   def create?
+    return false unless record.platform
     is_admin? || record.platform.main? && local_admin?(record.platform)
   end
   alias_method :clone?,   :create?

spec/controllers/api/v1/products_controller_spec.rb

@@ -3,29 +3,29 @@ require 'spec_helper'
 shared_examples_for 'api user without reader rights' do
   it 'should not be able to perform show action', :anonymous_access  => false do
     get :show, id: @product.id, format: :json
-    response.status.should == 401
+    expect(response.status).to eq 401
   end
 
   it 'should be able to perform show action', :anonymous_access  => true do
     get :show, id: @product.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should not be able to perform show action for the hidden platform', :anonymous_access  => true do
     @product.platform.update_column :visibility, 'hidden'
     get :show, id: @product.id, format: :json
-    response.status.should == 403
+    expect(response.status).to eq 403
   end
 
   it 'should not be able to perform create action' do
     post :create, format: :json
-    response.status.should == 401
+    expect(response.status).to eq 401
   end
 
   [:update, :destroy].each do |action|
     it "should not be able to perform #{action} action" do
       put action, id: @product.id, format: :json
-      response.status.should == 401
+      expect(response.status).to eq 401
     end
   end
 end
@@ -33,24 +33,25 @@ end
 shared_examples_for 'api user with reader rights' do
   it 'should be able to perform show action' do
     get :show, id: @product.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should be able to perform show action for the hidden main platform' do
+    allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(true)
     @product.platform.update_column :visibility, 'hidden'
     get :show, id: @product.id, format: :json
-    response.should be_success # because main platform
+    expect(response).to be_success # because main platform
   end
 
   it 'should not be able to perform create action' do
     post :create, format: :json
-    response.status.should == 403
+    expect(response.status).to eq 403
   end
 
   [:update, :destroy].each do |action|
     it "should not be able to perform #{action} action" do
       put action, id: @product.id, format: :json
-      response.status.should == 403
+      expect(response.status).to eq 403
     end
   end
 end
@@ -66,44 +67,48 @@ shared_examples_for 'api user with admin rights' do
 
   it 'should be able to perform show action' do
     get :show, id: @product.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should be able to perform show action for the hidden platform' do
     @product.platform.update_column :visibility, 'hidden'
     get :show, id: @product.id, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'should be able to perform create action' do
     post :create, @create_params, format: :json
-    response.should be_success
+    expect(response).to be_success
   end
 
   it 'ensures that product has been created' do
-    lambda { post :create, @create_params, format: :json }.should change{ Product.count }.by(1)
+    expect do
+      post :create, @create_params, format: :json
+    end.to change(Product, :count).by(1)
   end
 
   [:update, :destroy].each do |action|
     it "should be able to perform #{action} action" do
       put action, id: @product.id, format: :json
-      response.should be_success
+      expect(response).to be_success
     end
   end
 
   it "ensures that product has been destroyed" do
-    lambda { put :destroy, id: @product.id, format: :json }.should change{ Product.count }.by(-1)
+    expect do
+      put :destroy, id: @product.id, format: :json
+    end.to change(Product, :count).by(-1)
   end
 
   it "ensures that product has been updated" do
     put :update, @update_params.merge(id: @product.id), format: :json
-    @product.reload.name.should == 'pro2'
-    @product.reload.time_living.should == 250*60 # in seconds
+    expect(@product.reload.name).to eq 'pro2'
+    expect(@product.reload.time_living).to eq 250*60 # in seconds
   end
 
   it 'ensures that return correct answer for wrong creating action' do
     post :create, format: :json
-    response.status.should == 403 # Maybe 422?
+    expect(response.status).to eq 403 # Maybe 422?
   end
 
   #[:update, :destroy].each do |action|
@@ -115,7 +120,7 @@ shared_examples_for 'api user with admin rights' do
 end
 
 describe Api::V1::ProductsController, type: :controller do
-  before(:each) do
+  before do
     stub_symlink_methods
 
     @product = FactoryGirl.create(:product)
@@ -124,12 +129,10 @@ describe Api::V1::ProductsController, type: :controller do
 
   context 'for guest' do
     it_should_behave_like 'api user without reader rights'
-
-
   end
 
   context 'for user' do
-    before(:each) do
+    before do
       http_login(@another_user)
     end