API v1 orders endpoints

app/controllers/api/v1/orders_controller.rb

@@ -0,0 +1,19 @@
+class Api::V1::OrdersController < Api::V1::BaseController
+  include Concerns::CollectionScope
+
+  before_action ->{ doorkeeper_authorize! 'orders:read', 'orders:write' }
+
+  def index
+    render_collection search_scope
+  end
+
+  def show
+    render json: scope.find(params.require(:id))
+  end
+
+  private
+
+  def scope
+    Order.includes(:supplier)
+  end
+end

app/controllers/concerns/auth_api.rb

@@ -53,14 +53,19 @@ module Concerns::AuthApi
     end
 
     case scope_parts.first
-    when 'user'           then true # access to the current user's own profile
-    when 'config'         then current_user.role_admin?
-    when 'users'          then current_user.role_admin?
-    when 'workgroups'     then current_user.role_admin?
-    when 'suppliers'      then current_user.role_suppliers?
-    when 'group_orders'   then current_user.role_orders?
-    when 'finance'        then current_user.role_finance?
+    when 'user'           then return true # access to the current user's own profile
+    when 'config'         then return current_user.role_admin?
+    when 'users'          then return current_user.role_admin?
+    when 'workgroups'     then return current_user.role_admin?
+    when 'suppliers'      then return current_user.role_suppliers?
+    when 'group_orders'   then return current_user.role_orders?
+    when 'finance'        then return current_user.role_finance?
     # please note that offline_access does not belong here, since it is not used for permission checking
     end
+
+    case scope
+    when 'orders:read'    then return true
+    when 'orders:write'   then return current_user.role_orders?
+    end
   end
 end