From 1c688ec4993815e6196c57679b8a0e359c2253ff Mon Sep 17 00:00:00 2001
From: Oliver Windall Juhl <59018053+olivermrbl@users.noreply.github.com>
Date: Thu, 6 Oct 2022 15:39:47 +0200
Subject: [PATCH] fix(medusa): Add allowed relations to order retrieval (#2370)

**What**
Add allowed relations to list orders and get order to throw appropriate error message + status code

**Test**
- Integration: Throw on invalid relation provided to list orders
- Integration: Add test suite get order
   - Successfully retrieve order with expand + fields
   - Throw on invalid relation provided
---
 .../api/__tests__/admin/order/order.js        | 64 +++++++++++++++++++
 .../src/api/routes/admin/orders/index.ts      |  7 +-
 2 files changed, 69 insertions(+), 2 deletions(-)

diff --git a/integration-tests/api/__tests__/admin/order/order.js b/integration-tests/api/__tests__/admin/order/order.js
index e6b59dd21c..e736e339c7 100644
--- a/integration-tests/api/__tests__/admin/order/order.js
+++ b/integration-tests/api/__tests__/admin/order/order.js
@@ -1431,6 +1431,22 @@ describe("/admin/orders", () => {
       )
     })
 
+    it("throws on invalid relation", async () => {
+      const api = useApi()
+
+      try {
+        await api.get("/admin/orders?fields=id&expand=variants", {
+          headers: {
+            authorization: "Bearer test_token",
+          },
+        })
+      } catch (error) {
+        expect(error.response.data.message).toBe(
+          "Relations [variants] are not valid"
+        )
+      }
+    })
+
     it("lists all orders with a fulfillment status = fulfilled and payment status = captured", async () => {
       const api = useApi()
 
@@ -2236,4 +2252,52 @@ describe("/admin/orders", () => {
       await expectCancelToReturn({ code: 200 })
     })
   })
+
+  describe("GET /admin/orders/:id", () => {
+    beforeEach(async () => {
+      await adminSeeder(dbConnection)
+      await orderSeeder(dbConnection)
+    })
+
+    afterEach(async () => {
+      const db = useDb()
+      await db.teardown()
+    })
+
+    it("retrieves an order with fields and expand", async () => {
+      const api = useApi()
+
+      const order = await api.get(
+        "/admin/orders/test-order?fields=id&expand=region",
+        {
+          headers: {
+            authorization: "Bearer test_token",
+          },
+        }
+      )
+
+      expect(order.status).toEqual(200)
+      expect(order.data.order).toEqual(
+        expect.objectContaining({
+          id: "test-order",
+        })
+      )
+    })
+
+    it("throws on invalid relation", async () => {
+      const api = useApi()
+
+      try {
+        await api.get("/admin/orders/test-order?fields=id&expand=variants", {
+          headers: {
+            authorization: "Bearer test_token",
+          },
+        })
+      } catch (error) {
+        expect(error.response.data.message).toBe(
+          "Relations [variants] are not valid"
+        )
+      }
+    })
+  })
 })
diff --git a/packages/medusa/src/api/routes/admin/orders/index.ts b/packages/medusa/src/api/routes/admin/orders/index.ts
index 073f11c898..675a6b927e 100644
--- a/packages/medusa/src/api/routes/admin/orders/index.ts
+++ b/packages/medusa/src/api/routes/admin/orders/index.ts
@@ -1,15 +1,15 @@
 import { Router } from "express"
 import "reflect-metadata"
 import { Order } from "../../../.."
+import SalesChannelFeatureFlag from "../../../../loaders/feature-flags/sales-channels"
 import {
   DeleteResponse,
   FindParams,
   PaginatedResponse,
 } from "../../../../types/common"
+import { FlagRouter } from "../../../../utils/flag-router"
 import middlewares, { transformQuery } from "../../../middlewares"
 import { AdminGetOrdersParams } from "./list-orders"
-import { FlagRouter } from "../../../../utils/flag-router"
-import SalesChannelFeatureFlag from "../../../../loaders/feature-flags/sales-channels"
 
 const route = Router()
 
@@ -30,6 +30,7 @@ export default (app, featureFlagRouter: FlagRouter) => {
       defaultRelations: relations,
       defaultFields: defaultAdminOrdersFields,
       allowedFields: allowedAdminOrdersFields,
+      allowedRelations: allowedAdminOrdersRelations,
       isList: true,
     }),
     middlewares.wrap(require("./list-orders").default)
@@ -44,6 +45,7 @@ export default (app, featureFlagRouter: FlagRouter) => {
       defaultRelations: relations,
       defaultFields: defaultAdminOrdersFields,
       allowedFields: allowedAdminOrdersFields,
+      allowedRelations: allowedAdminOrdersRelations,
       isList: false,
     }),
     middlewares.wrap(require("./get-order").default)
@@ -342,6 +344,7 @@ export const allowedAdminOrdersFields = [
 export const allowedAdminOrdersRelations = [
   "customer",
   "region",
+  "sales_channel",
   "billing_address",
   "shipping_address",
   "discounts",