I would like to create a role which is not the admin that can create order in the spree backend, but I couldn't find the combination of actions that I need to activate for that user. I tried adding the default user permission and allow role to :manage Order, LineItem, Product, Variant to no success. Right now the role can create new order, but when I search for product to add to cart, the API controller would not allow it.
Update:
I try disabling the authentication for the API Spree::Api::Config[:requires_authentication] = false and it solve the problem. So it's definitely a problem with API authentication.
I am using solidus which is a fork of spree 2.4
can_be_like_customer
can :manage, Spree::Order
can :manage, Spree::LineItem
can :manage, Spree::Product
can :manage, Spree::Variant
def can_be_like_customer
can :display, Spree::Country
can :display, Spree::OptionType
can :display, Spree::OptionValue
can :create, Spree::Order
can [:read, :update], Spree::Order do |order, token|
order.user == user || order.guest_token && token == order.guest_token
end
can :display, Spree::Product
can :display, Spree::ProductProperty
can :display, Spree::Property
can :create, Spree.user_class
can :display, Spree::State
can :display, Spree::Taxon
can :display, Spree::Taxonomy
can :display, Spree::Variant
can :display, Spree::Zone
end
Log from terminal
Processing by Spree::Api::VariantsController#index as JSON
Parameters: {"q"=>{"product_name_or_sku_cont"=>"bag"}, "token"=>"", "in_stock_only"=>"true", "_"=>"1447839886731"}
Spree::User Load (0.4ms) SELECT "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."spree_api_key" = $1 LIMIT 1 [["spree_api_key", ""]]
Rendered /Users/harins/.rbenv/versions/2.2.1/lib/ruby/gems/2.2.0/gems/solidus_api-1.0.2/app/views/spree/api/errors/must_specify_api_key.v1.rabl (0.7ms)
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 1778ms (Views: 1775.1ms | ActiveRecord: 0.4ms)
