API v1 orders endpoints

app/controllers/api/v1/orders_controller.rb

@@ -0,0 +1,19 @@
+class Api::V1::OrdersController < Api::V1::BaseController
+  include Concerns::CollectionScope
+
+  before_action ->{ doorkeeper_authorize! 'orders:read', 'orders:write' }
+
+  def index
+    render_collection search_scope
+  end
+
+  def show
+    render json: scope.find(params.require(:id))
+  end
+
+  private
+
+  def scope
+    Order.includes(:supplier)
+  end
+end

app/controllers/concerns/auth_api.rb

@@ -53,14 +53,19 @@ module Concerns::AuthApi
     end
 
     case scope_parts.first
-    when 'user'           then true # access to the current user's own profile
-    when 'config'         then current_user.role_admin?
-    when 'users'          then current_user.role_admin?
-    when 'workgroups'     then current_user.role_admin?
-    when 'suppliers'      then current_user.role_suppliers?
-    when 'group_orders'   then current_user.role_orders?
-    when 'finance'        then current_user.role_finance?
+    when 'user'           then return true # access to the current user's own profile
+    when 'config'         then return current_user.role_admin?
+    when 'users'          then return current_user.role_admin?
+    when 'workgroups'     then return current_user.role_admin?
+    when 'suppliers'      then return current_user.role_suppliers?
+    when 'group_orders'   then return current_user.role_orders?
+    when 'finance'        then return current_user.role_finance?
     # please note that offline_access does not belong here, since it is not used for permission checking
     end
+
+    case scope
+    when 'orders:read'    then return true
+    when 'orders:write'   then return current_user.role_orders?
+    end
   end
 end

app/models/order.rb

@@ -51,6 +51,14 @@ class Order < ApplicationRecord
   include DateTimeAttributeValidate
   date_time_attribute :starts, :boxfill, :ends
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id state supplier_id starts boxfill ends pickup)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(supplier articles order_articles)
+  end
+
   def stockit?
     supplier_id.nil?
   end
@@ -111,11 +119,11 @@ class Order < ApplicationRecord
   end
 
   def boxfill?
-    FoodsoftConfig[:use_boxfill] && open? && boxfill.present? && boxfill < Time.now
+    !!FoodsoftConfig[:use_boxfill] && open? && boxfill.present? && boxfill < Time.now
   end
 
   def is_boxfill_useful?
-    FoodsoftConfig[:use_boxfill] && supplier.try(:has_tolerance?)
+    !!FoodsoftConfig[:use_boxfill] && !!supplier.try(:has_tolerance?)
   end
 
   def expired?

app/models/supplier.rb

@@ -23,6 +23,14 @@ class Supplier < ApplicationRecord
   scope :undeleted, -> { where(deleted_at: nil) }
   scope :having_articles, -> { where(id: Article.undeleted.select(:supplier_id).distinct) }
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id name)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(articles stock_articles orders)
+  end
+
   # sync all articles with the external database
   # returns an array with articles(and prices), which should be updated (to use in a form)
   # also returns an array with outlisted_articles, which should be deleted

app/serializers/order_serializer.rb

@@ -0,0 +1,11 @@
+class OrderSerializer < ActiveModel::Serializer
+  attributes :id, :name, :starts, :ends, :boxfill, :pickup, :is_open, :is_boxfill
+
+  def is_open
+    object.open?
+  end
+
+  def is_boxfill
+    object.boxfill?
+  end
+end