FAQ
Are regular users authorized to invoke payments#purchase in the spree api?
I'm getting a 401 unauthorized message when passing a spree token to the
api.
My data looks as such from the chrome network panel. Our users are
authenticated from a service external to spree and it's plugins and we are
trying to use tokens to authorize purchases.

Request URL:
http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase

Request Headers
PUT http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase
HTTP/1.1
Accept: */* Referer: http://localhost:3000/cart Origin:
http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
application/x-www-form-urlencoded; charset=UTF-8

Form Data
token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a

Search Discussions

  • Mdasu3 at Jul 23, 2013 at 4:48 pm
    My guess is that
      https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rb
    is the main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the spree api?
    I'm getting a 401 unauthorized message when passing a spree token to the
    api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase

    Request Headers
    PUT http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8

    Form Data
    token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a
  • Mdasu3 at Jul 23, 2013 at 6:12 pm
    My current solution is to add the following code in lib/purchase_ability.rb

    class PurchaseAbility
         include CanCan::Ability

         def initialize(user)
             can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
         end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbis the main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the spree
    api? I'm getting a 401 unauthorized message when passing a spree token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase

    Request Headers
    PUT
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8

    Form Data
    token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a
  • Mdasu3 at Jul 26, 2013 at 1:08 am
    Revision:
    class PurchaseAbility
         include CanCan::Ability

         def initialize(user)
             if user.present? && !user.anonymous?
                 can [:purchase], Spree::Payment do |payment|
                     payment.order.user == user
                 end
             end
         end

    On Tuesday, July 23, 2013 11:12:23 AM UTC-7, mdasu3 wrote:

    My current solution is to add the following code in lib/purchase_ability.rb

    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
    end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbis the main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the spree
    api? I'm getting a 401 unauthorized message when passing a spree token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase

    Request Headers
    PUT
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8

    Form Data
    token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a
  • Daniel Carter at Jul 26, 2013 at 1:40 am
    Hi mdasu3,

    I'm just wondering if you have a specific use case in mind in which
    users need to be able to invoke 'purchase' on a payment? My
    understanding is that this is designed to be invoked by an
    administrator. When a user adds a payment to an order it is
    'authorize'-ed, after which it becomes available in the backend for an
    administrator to 'purchase' in order to 'complete' the payment.

    If you simply want all payments to be automatically 'purchase'-ed
    without requiring administrator intervention, perhaps Spree's
    'auto_capture' preference would be a good way to go?

    http://guides.spreecommerce.com/developer/preferences.html#site-wide-preferences

    Cheers,
    Daniel
    On 26/07/2013 10:07 AM, mdasu3 wrote:
    Revision:
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    if user.present? && !user.anonymous?
    can [:purchase], Spree::Payment do |payment|
    payment.order.user == user
    end
    end
    end

    On Tuesday, July 23, 2013 11:12:23 AM UTC-7, mdasu3 wrote:

    My current solution is to add the following code in lib/purchase_ability.rb

    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
    end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbis the main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the spree
    api? I'm getting a 401 unauthorized message when passing a spree token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase

    Request Headers
    PUT
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8

    Form Data
    token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a
  • Mdasu3 at Jul 30, 2013 at 7:23 pm
    I didn't realize the spree already takes care of handling all the purchase
    information so that it wasn't necessary to call /purchase.
    Although we didn't end up using PurchaseAbility, we added ability to be
    able to update addresses belonging to a user.
    On Thursday, July 25, 2013 6:40:24 PM UTC-7, Daniel Carter wrote:

    Hi mdasu3,

    I'm just wondering if you have a specific use case in mind in which
    users need to be able to invoke 'purchase' on a payment? My
    understanding is that this is designed to be invoked by an
    administrator. When a user adds a payment to an order it is
    'authorize'-ed, after which it becomes available in the backend for an
    administrator to 'purchase' in order to 'complete' the payment.

    If you simply want all payments to be automatically 'purchase'-ed
    without requiring administrator intervention, perhaps Spree's
    'auto_capture' preference would be a good way to go?


    http://guides.spreecommerce.com/developer/preferences.html#site-wide-preferences

    Cheers,
    Daniel
    On 26/07/2013 10:07 AM, mdasu3 wrote:
    Revision:
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    if user.present? && !user.anonymous?
    can [:purchase], Spree::Payment do |payment|
    payment.order.user == user
    end
    end
    end

    On Tuesday, July 23, 2013 11:12:23 AM UTC-7, mdasu3 wrote:

    My current solution is to add the following code in
    lib/purchase_ability.rb
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
    end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbisthe main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the spree
    api? I'm getting a 401 unauthorized message when passing a spree
    token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and
    we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase
    Request Headers
    PUT
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36
    (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8

    Form Data
    token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a
  • Ryan Bigg at Aug 2, 2013 at 12:32 am
    So is this all solved now for you?
    On Wed, Jul 31, 2013 at 5:23 AM, mdasu3 wrote:

    I didn't realize the spree already takes care of handling all the purchase
    information so that it wasn't necessary to call /purchase.
    Although we didn't end up using PurchaseAbility, we added ability to be
    able to update addresses belonging to a user.
    On Thursday, July 25, 2013 6:40:24 PM UTC-7, Daniel Carter wrote:

    Hi mdasu3,

    I'm just wondering if you have a specific use case in mind in which
    users need to be able to invoke 'purchase' on a payment? My
    understanding is that this is designed to be invoked by an
    administrator. When a user adds a payment to an order it is
    'authorize'-ed, after which it becomes available in the backend for an
    administrator to 'purchase' in order to 'complete' the payment.

    If you simply want all payments to be automatically 'purchase'-ed
    without requiring administrator intervention, perhaps Spree's
    'auto_capture' preference would be a good way to go?


    http://guides.spreecommerce.com/developer/preferences.html#site-wide-preferences

    Cheers,
    Daniel
    On 26/07/2013 10:07 AM, mdasu3 wrote:
    Revision:
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    if user.present? && !user.anonymous?
    can [:purchase], Spree::Payment do |payment|
    payment.order.user == user
    end
    end
    end

    On Tuesday, July 23, 2013 11:12:23 AM UTC-7, mdasu3 wrote:

    My current solution is to add the following code in
    lib/purchase_ability.rb
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
    end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbisthe main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the spree
    api? I'm getting a 401 unauthorized message when passing a spree
    token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and
    we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase
    Request Headers
    PUT
    http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36
    (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8

    Form Data
    token=be52f4abff6276f834b2869a9d19d755fa17324fa81fd84a
  • David Su at Aug 2, 2013 at 4:38 am
    Yes this has been resolved.

    On Thu, Aug 1, 2013 at 5:32 PM, Ryan Bigg wrote:

    So is this all solved now for you?

    On Wed, Jul 31, 2013 at 5:23 AM, mdasu3 wrote:

    I didn't realize the spree already takes care of handling all the
    purchase information so that it wasn't necessary to call /purchase.
    Although we didn't end up using PurchaseAbility, we added ability to be
    able to update addresses belonging to a user.
    On Thursday, July 25, 2013 6:40:24 PM UTC-7, Daniel Carter wrote:

    Hi mdasu3,

    I'm just wondering if you have a specific use case in mind in which
    users need to be able to invoke 'purchase' on a payment? My
    understanding is that this is designed to be invoked by an
    administrator. When a user adds a payment to an order it is
    'authorize'-ed, after which it becomes available in the backend for an
    administrator to 'purchase' in order to 'complete' the payment.

    If you simply want all payments to be automatically 'purchase'-ed
    without requiring administrator intervention, perhaps Spree's
    'auto_capture' preference would be a good way to go?

    http://guides.spreecommerce.**com/developer/preferences.**
    html#site-wide-preferences****<http://guides.spreecommerce.com/developer/preferences.html#site-wide-preferences>

    Cheers,
    Daniel
    On 26/07/2013 10:07 AM, mdasu3 wrote:
    Revision:
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    if user.present? && !user.anonymous?
    can [:purchase], Spree::Payment do |payment|
    payment.order.user == user
    end
    end
    end

    On Tuesday, July 23, 2013 11:12:23 AM UTC-7, mdasu3 wrote:

    My current solution is to add the following code in
    lib/purchase_ability.rb
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
    end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_**ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/**spree/blob/**
    abf38b0fa5a970953c86c73c7f1f28**28c43cba3a/core/app/models/**
    spree/ability.rbis********<https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbis>the main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the
    spree
    api? I'm getting a 401 unauthorized message when passing a spree
    token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and
    we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/**api/orders/R576316807/**
    payments/95/purchase****<http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase>
    payments/95/purchaseHTTP/1.1****<http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1>
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36
    (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-**urlencoded; charset=UTF-8

    Form Data
    token=**be52f4abff6276f834b2869a9d19d7**55fa17324fa81fd84a
    ********
  • Ryan Bigg at Aug 2, 2013 at 4:51 am
    Excellent, good to hear :)
    On Fri, Aug 2, 2013 at 2:37 PM, David Su wrote:

    Yes this has been resolved.
    On Thu, Aug 1, 2013 at 5:32 PM, Ryan Bigg wrote:
    So is this all solved now for you?

    On Wed, Jul 31, 2013 at 5:23 AM, mdasu3 wrote:

    I didn't realize the spree already takes care of handling all the
    purchase information so that it wasn't necessary to call /purchase.
    Although we didn't end up using PurchaseAbility, we added ability to be
    able to update addresses belonging to a user.
    On Thursday, July 25, 2013 6:40:24 PM UTC-7, Daniel Carter wrote:

    Hi mdasu3,

    I'm just wondering if you have a specific use case in mind in which
    users need to be able to invoke 'purchase' on a payment? My
    understanding is that this is designed to be invoked by an
    administrator. When a user adds a payment to an order it is
    'authorize'-ed, after which it becomes available in the backend for an
    administrator to 'purchase' in order to 'complete' the payment.

    If you simply want all payments to be automatically 'purchase'-ed
    without requiring administrator intervention, perhaps Spree's
    'auto_capture' preference would be a good way to go?

    http://guides.spreecommerce.**com/developer/preferences.**
    html#site-wide-preferences****<http://guides.spreecommerce.com/developer/preferences.html#site-wide-preferences>

    Cheers,
    Daniel
    On 26/07/2013 10:07 AM, mdasu3 wrote:
    Revision:
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    if user.present? && !user.anonymous?
    can [:purchase], Spree::Payment do |payment|
    payment.order.user == user
    end
    end
    end

    On Tuesday, July 23, 2013 11:12:23 AM UTC-7, mdasu3 wrote:

    My current solution is to add the following code in
    lib/purchase_ability.rb
    class PurchaseAbility
    include CanCan::Ability

    def initialize(user)
    can [:purchase], Spree::Payment if user.present? && !
    user.anonymous?
    end
    end

    Then in my initializer code:
    require 'purchase_ability'
    Spree::Ability.register_**ability(PurchaseAbility)
    On Tuesday, July 23, 2013 9:48:26 AM UTC-7, mdasu3 wrote:

    My guess is that
    https://github.com/spree/**spree/blob/**
    abf38b0fa5a970953c86c73c7f1f28**28c43cba3a/core/app/models/**
    spree/ability.rbis********<https://github.com/spree/spree/blob/abf38b0fa5a970953c86c73c7f1f2828c43cba3a/core/app/models/spree/ability.rbis>the main permissions file and regular users are not authorized for the
    :purchase method.
    On Tuesday, July 23, 2013 9:45:35 AM UTC-7, mdasu3 wrote:

    Are regular users authorized to invoke payments#purchase in the
    spree
    api? I'm getting a 401 unauthorized message when passing a spree
    token to
    the api.
    My data looks as such from the chrome network panel. Our users are
    authenticated from a service external to spree and it's plugins and
    we are
    trying to use tokens to authorize purchases.

    Request URL:
    http://localhost:3000/spree/**api/orders/R576316807/**
    payments/95/purchase****<http://localhost:3000/spree/api/orders/R576316807/payments/95/purchase>
    payments/95/purchaseHTTP/1.1****<http://localhost:3000/spree/api/orders/R576316807/payments/95/purchaseHTTP/1.1>
    Accept: */* Referer: http://localhost:3000/cart Origin:
    http://localhost:3000 X-Requested-With: XMLHttpRequest User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36
    (KHTML,
    like Gecko) Chrome/28.0.1500.71 Safari/537.36 Content-Type:
    application/x-www-form-**urlencoded; charset=UTF-8

    Form Data
    token=**be52f4abff6276f834b2869a9d19d7**55fa17324fa81fd84a
    ********

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupspree-user @
categoriesrubyonrails
postedJul 23, '13 at 4:45p
activeAug 2, '13 at 4:51a
posts9
users3
websitespreecommerce.com
irc#RubyOnRails

People

Translate

site design / logo © 2022 Grokbase