Add restriction for metadata update after order is complete

JustShah · JustShah · commit 678750d7cc98 · 2025-02-18T12:13:21.000+05:30
User cannot update customer_metadata after the status of order is complete
diff --git a/api/app/controllers/spree/api/orders_controller.rb b/api/app/controllers/spree/api/orders_controller.rb
@@ -112,12 +112,19 @@ def mine
       def order_params
         if params[:order]
           normalize_params
+          prevent_customer_metadata_update
           params.require(:order).permit(permitted_order_attributes)
         else
           {}
         end
       end
 
+      def prevent_customer_metadata_update
+        return unless @order&.completed? && cannot?(:admin, Spree::Order)
+
+        params[:order].delete(:customer_metadata) if params[:order]
+      end
+
       def normalize_params
         if params[:order][:payments]
           payments_params = params[:order].delete(:payments)
diff --git a/api/spec/requests/spree/api/orders_spec.rb b/api/spec/requests/spree/api/orders_spec.rb
@@ -128,6 +128,17 @@ module Spree::Api
 
           expect(json_response).not_to have_key('admin_metadata')
         end
+
+        it "cannot update customer metadata if the order is complete" do
+          order = create(:order)
+          order.completed_at = Time.current
+          order.state = 'complete'
+          order.save!
+
+          put spree.api_order_path(order), params: { order: attributes_with_metadata }
+
+          expect(json_response['customer_metadata']).to eq({})
+        end
       end
 
       context "when the current user can administrate the order" do
