Manually generate

* feat: Add API token generation and authentication

This commit introduces API token generation and authentication for write operations.

- Adds a section to the user's profile edit page to generate and display an API token.
- Reuses the `authentications` table to store the API token, avoiding the need for a database migration.
- Implements token-based authentication for the API using the `Authorization: Token token=...` header.
- Enables write operations for all API resources and ensures they are protected by the new authentication mechanism.
- Adds feature and request specs to test the new functionality.

* feat: Add API token generation and authentication

This commit introduces API token generation and authentication for write operations.

- Adds a section to the user's profile edit page to generate and display an API token.
- Reuses the `authentications` table to store the API token, avoiding the need for a database migration.
- Implements token-based authentication for the API using the `Authorization: Token token=...` header.
- Enables write operations for all API resources and ensures they are protected by the new authentication mechanism.
- Adds feature and request specs to test the new functionality.

* Mark as editable

* Refactor

* WIP - Authentication

* Implement more test coverage

* Split 401 and 403

* Before Create hooks

* Update harvest specs, defaulting to the first plant part - this may not be right

* Update coverage

* Update coverage

* Rubocop

* Rubocop

* Rubocop

* Fix coverage

* For now, mark photos immutable again

* Fix specs

* Fix specs

* Rubocop

* Fix specs

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Daniel O'Connor <daniel.oconnor@gmail.com>

.github/workflows/ci-features-admin.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (admin/)
         run: bundle exec rspec spec/features/admin/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-comments.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (comments/)
         run: bundle exec rspec spec/features/comments/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-conversations.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -101,3 +101,9 @@ jobs:
       - name: Run rspec (conversations/)
         run: bundle exec rspec spec/features/conversations/ -fd -t ~@flaky
 
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-crops.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (crops/)
         run: bundle exec rspec spec/features/crops/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-gardens.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (gardens/)
         run: bundle exec rspec spec/features/gardens/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-harvests.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -99,4 +99,11 @@ jobs:
         run: bundle exec rails search:reindex
 
       - name: Run rspec (harvests/)
-        run: bundle exec rspec spec/features/harvests/ -fd -t ~@flaky
+        run: bundle exec rspec spec/features/harvests/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-home.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -99,4 +99,11 @@ jobs:
         run: bundle exec rails search:reindex
 
       - name: Run rspec (home/)
-        run: bundle exec rspec spec/features/home/ -fd -t ~@flaky
+        run: bundle exec rspec spec/features/home/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-members.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -99,4 +99,11 @@ jobs:
         run: bundle exec rails search:reindex
 
       - name: Run rspec (members/)
-        run: bundle exec rspec spec/features/members/ -fd -t ~@flaky
+        run: bundle exec rspec spec/features/members/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-places.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (places/)
         run: bundle exec rspec spec/features/places/ -fd
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-plantings.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (plantings/)
         run: bundle exec rspec spec/features/plantings/ -fd
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-posts.yml

@@ -1,4 +1,4 @@
-name: CI Features - Admin
+name: CI Features - Posts
 
 on: [pull_request]
 
@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (posts/)
         run: bundle exec rspec spec/features/posts/ -fd
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-seeds.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -100,3 +100,10 @@ jobs:
 
       - name: Run rspec (seeds/)
         run: bundle exec rspec spec/features/seeds/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features-timeline.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -99,4 +99,11 @@ jobs:
         run: bundle exec rails search:reindex
 
       - name: Run rspec (timeline/)
-        run: bundle exec rspec spec/features/timeline/ -fd -t ~@flaky
+        run: bundle exec rspec spec/features/timeline/ -fd -t ~@flaky
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci-features.yml

@@ -74,7 +74,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 
@@ -108,4 +108,11 @@ jobs:
         run: bundle exec rspec spec/features/photos/ -fd
 
       - name: Run rspec (rss/)
-        run: bundle exec rspec spec/features/rss/ -fd
+        run: bundle exec rspec spec/features/rss/ -fd
+
+      - name: Upload screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: screenshots
+          path: tmp/screenshots

.github/workflows/ci.yml

@@ -89,7 +89,7 @@ jobs:
           sudo apt-get -y install libpq-dev google-chrome-stable
 
       - name: Install NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '12'
 

.rubocop_todo.yml

@@ -314,7 +314,7 @@ RSpec/MultipleExpectations:
 # Offense count: 138
 # Configuration parameters: AllowSubject.
 RSpec/MultipleMemoizedHelpers:
-  Max: 14
+  Max: 20
 
 # Offense count: 133
 # Configuration parameters: EnforcedStyle, IgnoreSharedExamples.

Gemfile

@@ -178,7 +178,6 @@ group :development, :test do
   gem 'dotenv-rails'
 
   # cli utils
-  gem 'haml-i18n-extractor', require: false
   gem 'haml_lint', '>= 0.25.1', require: false # Checks haml files for goodness
   gem 'i18n-tasks', require: false # adds tests for finding missing and unused translations
   gem 'rspectre', require: false # finds unused code in specs

Gemfile.lock

@@ -142,7 +142,7 @@ GEM
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
       rouge (>= 1.0.0)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
     bluecloth (2.2.0)
     bonsai-elasticsearch-rails (7.0.1)
       elasticsearch-model (< 8)
@@ -198,7 +198,7 @@ GEM
     comfy_bootstrap_form (4.0.9)
       rails (>= 5.0.0)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
+    connection_pool (2.5.4)
     crass (1.0.6)
     crowdin-api (1.12.0)
       open-uri (>= 0.1.0, < 0.2.0)
@@ -257,9 +257,9 @@ GEM
     excon (1.2.5)
       logger
     execjs (2.10.0)
-    factory_bot (6.5.4)
+    factory_bot (6.5.5)
       activesupport (>= 6.1.0)
-    factory_bot_rails (6.5.0)
+    factory_bot_rails (6.5.1)
       factory_bot (~> 6.5)
       railties (>= 6.1.0)
     faker (3.5.2)
@@ -294,12 +294,6 @@ GEM
       temple (>= 0.8.2)
       thor
       tilt
-    haml-i18n-extractor (0.5.9)
-      activesupport
-      haml
-      highline
-      tilt
-      trollop (= 1.16.2)
     haml-rails (2.1.0)
       actionpack (>= 5.1)
       activesupport (>= 5.1)
@@ -463,8 +457,8 @@ GEM
       racc
     percy-capybara (5.0.0)
       capybara (>= 3)
-    pg (1.6.1)
-    pg (1.6.1-x86_64-linux)
+    pg (1.6.2)
+    pg (1.6.2-x86_64-linux)
     platform-api (3.8.0)
       heroics (~> 0.1.1)
       moneta (~> 1.0.0)
@@ -481,7 +475,7 @@ GEM
       date
       stringio
     public_suffix (6.0.1)
-    puma (6.6.1)
+    puma (7.0.2)
       nio4r (~> 2.0)
     query_diet (0.7.2)
     racc (1.8.1)
@@ -607,7 +601,7 @@ GEM
     rswag-ui (2.16.0)
       actionpack (>= 5.2, < 8.1)
       railties (>= 5.2, < 8.1)
-    rubocop (1.80.1)
+    rubocop (1.80.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -636,7 +630,7 @@ GEM
     rubocop-rake (0.7.1)
       lint_roller (~> 1.1)
       rubocop (>= 1.72.1)
-    rubocop-rspec (3.6.0)
+    rubocop-rspec (3.7.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
     rubocop-rspec_rails (2.31.0)
@@ -694,14 +688,13 @@ GEM
     temple (0.10.4)
     terminal-table (4.0.0)
       unicode-display_width (>= 1.1.1, < 4)
-    terser (1.2.5)
+    terser (1.2.6)
       execjs (>= 0.3.0, < 3)
     thor (1.4.0)
     thread_safe (0.3.6)
     tilt (2.6.1)
     timecop (0.9.10)
     timeout (0.4.3)
-    trollop (1.16.2)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (3.1.5)
@@ -788,7 +781,6 @@ DEPENDENCIES
   gibbon (~> 1.2.0)
   gravatar-ultimate
   haml
-  haml-i18n-extractor
   haml-rails
   haml_lint (>= 0.25.1)
   hashie (>= 3.5.3)

README.md

@@ -17,7 +17,9 @@ encourage participation from people of all backgrounds and skill levels.
 ## Want to contribute?
 
 Don't ask to ask, the best way to get started is to fork the project, start a codespace and get hacking.
-Dive on in and submit your PRs.
+Dive on in and submit your PRs!
+
+Vibe Coding is more than okay, just make sure you indicate if you have done so and ensure there are tests.
 
 ## Important links
 
@@ -35,6 +37,10 @@ frontend features. We welcome contributions -- see
 * To set up your development environment, see [Getting started](https://github.com/Growstuff/growstuff/wiki/New-contributor-guide).
 * You may also be interested in our [API](https://github.com/Growstuff/growstuff/wiki/API).
 
+### For Home Automation enthusiasts
+
+https://github.com/Growstuff/homeassistant-growstuff/
+
 ## For designers, writers, researchers, data wranglers, and other contributors
 
 There are heaps of ways to get involved and contribute no matter what

app/assets/stylesheets/overrides.scss

@@ -132,6 +132,8 @@ section {
     border-radius: 5%;
     margin: 0.5em 0.5em 0.5em 0;
     width: 200px;
+    align-items: stretch;
+    justify-content: space-between;
 
     .img-card {
       border-top-left-radius: 5%;

app/controllers/api/v1/activities_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Api
+  module V1
+    class ActivitiesController < BaseController
+    end
+  end
+end

app/controllers/api/v1/base_controller.rb

@@ -4,6 +4,40 @@ module Api
   module V1
     class BaseController < JSONAPI::ResourceController
       abstract
+      protect_from_forgery with: :null_session
+      before_action :authenticate_member_from_token!
+      before_action :enforce_member_for_write_operations!, only: %i(create update destroy)
+      rescue_from CanCan::AccessDenied do
+        head :forbidden
+      end
+
+      def context
+        {
+          current_user:    current_user,
+          current_ability: current_ability,
+          controller:      self,
+          action:          params[:action]
+        }
+      end
+
+      private
+
+      attr_reader :current_user
+
+      def enforce_member_for_write_operations!
+        head :unauthorized unless current_user
+      end
+
+      def authenticate_member_from_token!
+        authenticate_with_http_token do |token, _options|
+          auth = Authentication.find_by(token: token, provider: 'api')
+          if auth.present?
+            @current_user = auth.member
+
+            return true
+          end
+        end
+      end
     end
   end
 end

app/controllers/crops_controller.rb

@@ -192,6 +192,8 @@ class CropsController < ApplicationController
       :parent_id, :perennial,
       :request_notes, :reason_for_rejection,
       :rejection_notes,
+      :row_spacing, :spread, :height,
+      :sowing_method, :sun_requirements, :growing_degree_days,
       scientific_names_attributes: %i(scientific_name _destroy id)
     )
   end

app/controllers/gardens_controller.rb

@@ -20,6 +20,7 @@ class GardensController < DataController
   def show
     @current_plantings = @garden.plantings.current.where.not(failed: true).includes(:crop, :owner).order(planted_at: :desc)
     @current_activities = @garden.activities.current.includes(:owner).order(created_at: :desc)
+    @finished_activities = @garden.activities.finished.includes(:owner).order(created_at: :desc)
     @finished_plantings = @garden.plantings.finished.includes(:crop)
     @suggested_companions = Crop.approved.where(
       id: CropCompanion.where(crop_a_id: @current_plantings.select(:crop_id)).select(:crop_b_id)

app/controllers/plantings_controller.rb

@@ -37,6 +37,7 @@ class PlantingsController < DataController
     @photos = @planting.photos.includes(:owner).order(date_taken: :desc)
     @harvests = Harvest.search(where: { planting_id: @planting.id })
     @current_activities = @planting.activities.current.includes(:owner).order(created_at: :desc)
+    @finished_activities = @planting.activities.finished.includes(:owner).order(created_at: :desc)
     @matching_seeds = matching_seeds
     @crop = @planting.crop
 
@@ -133,7 +134,7 @@ class PlantingsController < DataController
       :crop_id, :description, :garden_id, :planted_at,
       :parent_seed_id,
       :quantity, :sunniness, :planted_from, :finished,
-      :finished_at, :failed
+      :finished_at, :failed, :overall_rating
     )
   end
 

app/controllers/registrations_controller.rb

@@ -38,6 +38,12 @@ class RegistrationsController < Devise::RegistrationsController
     end
   end
 
+  def regenerate_api_token
+    current_member.regenerate_api_token
+    set_flash_message :notice, :api_token_regenerated
+    redirect_to edit_member_registration_path + '#apps'
+  end
+
   def destroy
     if @member.valid_password?(params.require(:member)[:current_password])
       @member.discard

app/controllers/seeds_controller.rb

@@ -43,6 +43,7 @@ class SeedsController < DataController
 
   def new
     @seed = Seed.new
+    @seed.source = 'my own seed saving'
 
     if params[:planting_slug]
       @planting = Planting.find_by(slug: params[:planting_slug])
@@ -56,6 +57,7 @@ class SeedsController < DataController
 
   def create
     @seed = Seed.new(seed_params)
+    @seed.source ||= 'my own seed saving'
     @seed.finished ||= false
     @seed.owner = current_member
     @seed.crop = @seed.parent_planting.crop if @seed.parent_planting
@@ -84,7 +86,7 @@ class SeedsController < DataController
       :crop_id, :description, :quantity, :plant_before,
       :parent_planting_id, :saved_at,
       :days_until_maturity_min, :days_until_maturity_max,
-      :organic, :gmo,
+      :organic, :gmo, :source,
       :heirloom, :tradable_to, :slug,
       :finished, :finished_at
     )

app/helpers/application_helper.rb

@@ -21,6 +21,28 @@ module ApplicationHelper
     classes
   end
 
+  # Similar to Rails' time_ago_in_words, but gives a more standard
+  # output like "in 3 days" or "5 months ago".
+  # Also handles the case where from_time is a Date and to_time is a Date
+  # (in which case it just says "today" if they're the same date).
+  #
+  # NOTE: This is similar to distance_of_time_in_words but different enough
+  # that I think it's worth having a separate helper for it.
+  #
+  # from_time - the starting time (Time or Date)
+  # to_time - the ending time (Time or Date). Default: now (Time.zone.now)
+  # include_seconds - whether to include seconds in the calculation
+  #
+  # Returns a string like "in 3 days" or "5 months ago"
+  def standard_time_distance(from_time, to_time = 0, include_seconds = false)
+    return 'today' if from_time.is_a?(Date) && (from_time == to_time)
+
+    return 'now' if from_time == to_time
+    return "#{distance_of_time_in_words(from_time, to_time, include_seconds:)} ago" if from_time < to_time
+
+    "in #{distance_of_time_in_words(from_time, to_time, include_seconds:)}"
+  end
+
   def count_github_contibutors
     File.open(Rails.root.join('CONTRIBUTORS.md')).readlines.grep(/^-/).size
   end

app/helpers/event_helper.rb

@@ -7,6 +7,8 @@ module EventHelper
 
   def event_description(event)
     render "#{event.event_type.pluralize}/description", event_model: resolve_model(event)
+rescue ActionView::MissingTemplate
+  "#{event.event_type.humanize.downcase}d"
   end
 
   def resolve_model(event)

app/models/activity.rb

@@ -30,4 +30,20 @@ class Activity < ApplicationRecord
   def to_s
     name
   end
+
+  def garden_name
+    garden&.name
+  end
+
+  def garden_slug
+    garden&.slug
+  end
+
+  def planting_name
+    planting&.crop&.name
+  end
+
+  def planting_slug
+    planting&.crop&.slug
+  end
 end

app/models/concerns/open_farm_data.rb

@@ -8,14 +8,6 @@ module OpenFarmData
       fetch_attr('main_image_path')
     end
 
-    def height
-      fetch_attr('height')
-    end
-
-    def spread
-      fetch_attr('spread')
-    end
-
     def svg_icon
       icon = fetch_attr('svg_icon')
       return icon if icon.present?
@@ -31,10 +23,6 @@ module OpenFarmData
       fetch_attr('description')
     end
 
-    def row_spacing
-      fetch_attr('row_spacing')
-    end
-
     def common_names
       fetch_attr('common_names')
     end
@@ -43,22 +31,10 @@ module OpenFarmData
       fetch_attr('binomial_name')
     end
 
-    def sowing_method
-      fetch_attr('sowing_method')
-    end
-
     def main_image_path
       fetch_attr('main_image_path')
     end
 
-    def sun_requirements
-      fetch_attr('sun_requirements')
-    end
-
-    def growing_degree_days
-      fetch_attr('growing_degree_days')
-    end
-
     def processing_pictures
       fetch_attr('processing_pictures')
     end

app/models/concerns/search_activities.rb

@@ -9,7 +9,9 @@ module SearchActivities
                mappings:       {
                  properties: {
                    active:     { type: :boolean },
-                   created_at: { type: :integer }
+                   created_at: { type: :integer },
+                   updated_at: { type: :integer },
+                   due_date:   { type: :date }
                  }
                }
 
@@ -23,8 +25,10 @@ module SearchActivities
         category:,
         garden_id:,
         garden_name:      garden&.name,
+        garden_slug:      garden&.garden_slug,
         planting_id:,
         planting_name:    planting&.crop&.name,
+        planting_slug:    planting&.slug,
         description:,
 
         # owner

app/models/member.rb

@@ -24,6 +24,20 @@ class Member < ApplicationRecord
   has_many :notifications, foreign_key: 'recipient_id', inverse_of: :recipient
   has_many :sent_notifications, foreign_key: 'sender_id', inverse_of: :sender, class_name: "Notification"
   has_many :authentications, dependent: :destroy
+  has_one :api_token, -> { where(provider: 'api') }, class_name: 'Authentication', dependent: :destroy
+
+  def api_token?
+    api_token.present?
+  end
+
+  def regenerate_api_token
+    api_token.destroy if api_token?
+    create_api_token(
+      provider: 'api',
+      uid:      id,
+      token:    SecureRandom.hex(16)
+    )
+  end
   has_many :photos, inverse_of: :owner
   has_many :likes, dependent: :destroy
 

app/models/photo.rb

@@ -46,7 +46,8 @@ class Photo < ApplicationRecord
     flickr = owner.flickr
     info = flickr.photos.getInfo(photo_id: source_id)
     licenses = flickr.photos.licenses.getInfo
-    license = licenses.find { |l| l.id == info.license }
+    license = licenses.find { |l| l.id.to_i == info.license.to_i }
+    Rails.logger.error("Cannot find license: " + [info.license, licenses].inspect) unless license
     {
       title:         calculate_title(info),
       license_name:  license.name,

app/models/planting.rb

@@ -83,6 +83,9 @@ class Planting < ApplicationRecord
   validates :planted_from, allow_blank: true, inclusion: {
     in: PLANTED_FROM_VALUES, message: "%<value>s is not a valid planting method"
   }
+  validates :overall_rating, allow_blank: true, numericality: {
+    only_integer: true, greater_than_or_equal_to: 1, less_than_or_equal_to: 5
+  }
 
   def planting_slug
     [

app/models/seed.rb

@@ -12,6 +12,8 @@ class Seed < ApplicationRecord
   ORGANIC_VALUES = ['certified organic', 'non-certified organic', 'conventional/non-organic', 'unknown'].freeze
   GMO_VALUES = ['certified GMO-free', 'non-certified GMO-free', 'GMO', 'unknown'].freeze
   HEIRLOOM_VALUES = %w(heirloom hybrid unknown).freeze
+  SOURCE_VALUES = ['seed catalogue', 'retail outlet', 'seed bank or similar institution',
+                   'traded from another person', 'my own seed saving', 'other/unknown'].freeze
 
   #
   # Relationships
@@ -44,6 +46,9 @@ class Seed < ApplicationRecord
   validates :heirloom, allow_blank: false,
                        inclusion:   { in: HEIRLOOM_VALUES, message: "You must say whether the seeds" \
                                                                     "are heirloom, hybrid, or unknown" }
+  validates :source, allow_blank: true,
+                     inclusion:   { in: SOURCE_VALUES, message: "You must say where the seeds are from," \
+                                                                 "or that you don't know" }
 
   #
   # Delegations

app/resources/api/v1/activity_resource.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Api
+  module V1
+    class ActivityResource < BaseResource
+      before_create do
+        @model.owner = context[:current_user]
+      end
+
+      has_one :owner, class_name: 'Member'
+      has_one :garden
+      has_one :planting
+
+      attribute :name
+      attribute :description
+      attribute :category
+      attribute :finished
+      attribute :due_date
+
+      filter :owner
+      filter :owner_id
+      filter :garden
+      filter :garden_id
+      filter :planting
+      filter :planting_id
+      filter :category
+    end
+  end
+end

app/resources/api/v1/crop_resource.rb

@@ -3,8 +3,7 @@
 module Api
   module V1
     class CropResource < BaseResource
-      immutable
-
+      immutable # TODO: Re-evaluate this later
       filter :approval_status, default: 'approved'
 
       has_many :plantings

app/resources/api/v1/garden_resource.rb

@@ -3,13 +3,22 @@
 module Api
   module V1
     class GardenResource < BaseResource
-      immutable
+      before_create do
+        @model.owner = context[:current_user]
+      end
 
       has_one :owner, class_name: 'Member'
       has_many :plantings
       has_many :photos
 
       attribute :name
+
+      filter :owner
+      filter :owner_id
+      filter :active
+      filter :garden_type
+      filter :location
+      filter :slug
     end
   end
 end

app/resources/api/v1/harvest_resource.rb

@@ -3,11 +3,17 @@
 module Api
   module V1
     class HarvestResource < BaseResource
-      immutable
+      before_save do
+        @model.owner = context[:current_user]
+        @model.crop_id = @model.planting.crop_id if @model.planting_id
+        @model.harvested_at = Time.zone.now if @model.harvested_at.blank?
+        @model.plant_part = PlantPart.first
+      end
 
       has_one :crop
       has_one :planting
       has_one :owner, class_name: 'Member'
+      # has_one :plant_part
       has_many :photos
 
       attribute :harvested_at
@@ -16,6 +22,15 @@ module Api
       attribute :weight_quantity
       attribute :weight_unit
       attribute :si_weight
+
+      filter :owner
+      filter :owner_id
+      filter :crop
+      filter :crop_id
+      filter :planting
+      filter :planting_id
+      filter :plant_part
+      filter :harvested_at
     end
   end
 end

app/resources/api/v1/photo_resource.rb

@@ -3,7 +3,10 @@
 module Api
   module V1
     class PhotoResource < BaseResource
-      immutable
+      immutable # TODO: Re-evaluate this.
+      before_create do
+        @model.owner = context[:current_user]
+      end
 
       has_one :owner, class_name: 'Member'
       has_many :plantings

app/resources/api/v1/planting_resource.rb

@@ -3,7 +3,9 @@
 module Api
   module V1
     class PlantingResource < BaseResource
-      immutable
+      before_create do
+        @model.owner = context[:current_user]
+      end
 
       has_one :garden
       has_one :crop
@@ -36,6 +38,10 @@ module Api
       filter :owner
       filter :owner_id
       filter :finished
+      filter :active, apply: ->(records, _value, _options) { records.active }
+      filter :failed, apply: ->(records, _value, _options) { records.failed }
+      filter :sunniness
+      filter :perennial, apply: ->(records, _value, _options) { records.perennial }
 
       attribute :percentage_grown
       delegate :percentage_grown, to: :@model

app/resources/api/v1/seed_resource.rb

@@ -3,7 +3,9 @@
 module Api
   module V1
     class SeedResource < BaseResource
-      immutable
+      before_create do
+        @model.owner = context[:current_user]
+      end
 
       has_one :owner, class_name: 'Member'
       has_one :crop
@@ -17,6 +19,15 @@ module Api
       attribute :organic
       attribute :gmo
       attribute :heirloom
+
+      filter :owner
+      filter :owner_id
+      filter :crop
+      filter :crop_id
+      filter :tradable_to
+      filter :organic
+      filter :gmo
+      filter :heirloom
     end
   end
 end

app/resources/base_resource.rb

@@ -1,6 +1,16 @@
 # frozen_string_literal: true
 
 class BaseResource < JSONAPI::Resource
-  immutable
   abstract
+
+  [:create, :update, :remove].each do |action|
+    set_callback action, :before, :authorize
+  end
+
+  # Check authorisation for write operations.
+  # NOTE: At a later time, we may require API tokens for READ operations.
+  def authorize
+    # context[:action] is simply context[:controller].params[:action]
+    context[:current_ability].authorize! context[:action].to_sym, @model
+  end
 end

app/services/openfarm_service.rb

@@ -1,108 +0,0 @@
-# frozen_string_literal: true
-
-BASE = 'https://openfarm.cc/api/v1/'
-# BASE = 'http://127.0.0.1:3000/api/v1/'
-
-class OpenfarmService
-  def initialize
-    @cropbot = Member.find_by(login_name: 'cropbot')
-  end
-
-  def import!
-    Crop.all.order(updated_at: :desc).each do |crop|
-      Rails.logger.debug { "#{crop.id}, #{crop.name}" }
-      update_crop(crop) if crop.valid?
-    end
-  end
-
-  def update_crop(crop)
-    openfarm_record = fetch(crop.name)
-    if openfarm_record.present? && openfarm_record.is_a?(String)
-      Rails.logger.info(openfarm_record)
-    elsif openfarm_record.present? && openfarm_record.fetch('data', false)
-      crop.update! openfarm_data: openfarm_record.fetch('data', false)
-      save_companions(crop, openfarm_record)
-      save_photos(crop)
-    else
-      Rails.logger.debug "\tcrop not found on Open Farm"
-      crop.update!(openfarm_data: false)
-    end
-  end
-
-  def save_companions(crop, openfarm_record)
-    companions = openfarm_record.fetch('data').fetch('relationships').fetch('companions').fetch('data')
-    crops = openfarm_record.fetch('included', []).select { |rec| rec["type"] == 'crops' }
-    CropCompanion.transaction do
-      companions.each do |com|
-        companion_crop_hash = crops.detect { |c| c.fetch('id') == com.fetch('id') }
-        companion_crop_name = companion_crop_hash.fetch('attributes').fetch('name').downcase
-        companion_crop = Crop.where('lower(name) = ?', companion_crop_name).first
-        companion_crop = Crop.create!(name: companion_crop_name, requester: @cropbot, approval_status: "pending") if companion_crop.nil?
-        crop.companions << companion_crop unless crop.companions.where(id: companion_crop.id).any?
-      end
-    end
-  end
-
-  def save_photos(crop)
-    pictures = fetch_pictures(crop.name)
-    pictures.each do |picture|
-      data = picture.fetch('attributes')
-      Rails.logger.debug(data)
-      next unless data.fetch('image_url').start_with? 'http'
-      next if Photo.find_by(source_id: picture.fetch('id'), source: 'openfarm')
-
-      photo = Photo.new(
-        source_id:     picture.fetch('id'),
-        source:        'openfarm',
-        owner:         @cropbot,
-        thumbnail_url: data.fetch('thumbnail_url'),
-        fullsize_url:  data.fetch('image_url'),
-        title:         'Open Farm photo',
-        license_name:  'No rights reserved',
-        link_url:      "https://openfarm.cc/en/crops/#{name_to_slug(crop.name)}"
-      )
-      if photo.valid?
-        Photo.transaction do
-          photo.save
-          PhotoAssociation.find_or_create_by! photo:, photographable: crop
-        end
-        Rails.logger.debug { "\t saved photo #{photo.id} #{photo.source_id}" }
-      else
-        Rails.logger.warn "Photo not valid"
-      end
-    end
-  end
-
-  def fetch(name)
-    conn.get("crops/#{name_to_slug(name)}.json").body
-  rescue NoMethodError
-    Rails.logger.debug "error fetching crop"
-    Rails.logger.debug "BODY: "
-    Rails.logger.debug body
-  end
-
-  def name_to_slug(name)
-    CGI.escape(name.gsub(' ', '-').downcase)
-  end
-
-  def fetch_all(page)
-    conn.get("crops.json?page=#{page}").body.fetch('data', {})
-  end
-
-  def fetch_pictures(name)
-    body = conn.get("crops/#{name_to_slug(name)}/pictures.json").body
-    body.fetch('data', false)
-  rescue StandardError
-    Rails.logger.debug "Error fetching photos"
-    Rails.logger.debug []
-  end
-
-  private
-
-  def conn
-    Faraday.new BASE do |conn|
-      conn.response :json, content_type: /\bjson$/
-      conn.adapter Faraday.default_adapter
-    end
-  end
-end

app/services/timeline_service.rb

@@ -18,10 +18,20 @@ class TimelineService
       .union_all(photos_query)
       .union_all(seeds_query)
       .union_all(activities_query)
+      .union_all(likes_query)
       .where.not(event_at: nil)
       .order(event_at: :desc)
   end
 
+  def self.likes_query
+    Like
+      .select("likes.id",
+              "'like' as event_type",
+              "likes.created_at as event_at",
+              "likes.member_id as owner_id",
+              "null as crop_id")
+  end
+
   def self.activities_query
     Activity.select(
       :id,

app/views/activities/_card.html.haml

@@ -20,16 +20,24 @@
               - if can? :destroy, activity
                 .dropdown-divider
                 = delete_button(activity, classes: 'dropdown-item text-danger')
-    = link_to activity_path(slug: activity.slug) do
-      .card-body.text-center
+    .card-body
+      = link_to activity_path(slug: activity.slug) do
         %h4= activity.name
-        .text-center= activity.description
-        - if activity.garden
-          .text-center= activity.garden
-        - if activity.planting
-          .text-center= activity.planting
+        - if activity.due_date
+          %small.due-date{title: activity.due_date}
+            = standard_time_distance(activity.due_date.to_date, Time.zone.now.to_date)
+        %div
+          %small.text-justify{title: activity.description}= activity.description.truncate(150)
+      %p
+        %ul.list-unstyled
+        - if activity.garden_name && activity.garden_slug
+          %li
+            %small= link_to activity.garden_name, garden_path(slug: activity.garden_slug)
+        - if activity.planting_name && activity.planting_slug
+          %li
+            %small= link_to activity.planting_name, planting_path(slug: activity.planting_slug)
+
     .card-footer
-      .float-right
-        %span.chip.member-chip
-          = link_to member_path(slug: activity.owner_slug) do
-            = activity.owner_login_name
+      %small.chip.member-chip
+        = link_to member_path(slug: activity.owner_slug) do
+          = activity.owner_login_name

app/views/activities/_form.html.haml

@@ -27,13 +27,13 @@
 
       .row
         .col-md-4
-          = f.collection_radio_buttons(:garden_id, @activity.owner.gardens.active,
+          = f.collection_radio_buttons(:garden_id, @activity.owner.gardens.active.order_by_name,
             :id, :name,
             label: 'Is this for a specific garden?')
           = link_to "Add a garden.", new_garden_path
 
         .col-md-4
-          = f.collection_radio_buttons(:planting_id, @activity.owner.plantings.active,
+          = f.collection_radio_buttons(:planting_id, @activity.owner.plantings.active.recent,
             :id, :crop_name,
             label: 'Is this for a specific planting?')
           = link_to "Add a planting.", new_planting_path

app/views/crops/_form.html.haml

@@ -41,6 +41,14 @@
         = f.radio_button(:perennial, true, label: "Perennial")
         %span.help-block Living more than two years
 
+      %h2 OpenFarm Data
+      = f.number_field :row_spacing, label: 'Row Spacing (cm)', min: 0
+      = f.number_field :spread, label: 'Spread (cm)', min: 0
+      = f.number_field :height, label: 'Height (cm)', min: 0
+      = f.text_field :sowing_method
+      = f.text_field :sun_requirements
+      = f.number_field :growing_degree_days, min: 0
+
       - unless @crop.approved?
         = link_to 'Search wikipedia', "https://en.wikipedia.org/w/index.php?search=#{@crop.name}", target: '_blank'
       = f.url_field :en_wikipedia_url, id: "en_wikipedia_url", label: 'Wikipedia URL'

app/views/crops/_harvests.html.haml

@@ -12,7 +12,7 @@
             #{harvest.owner} harvested #{display_quantity(harvest)}.
           .float-right= render 'members/location', member: harvest.owner
           .harvest-timeago
-            %small #{distance_of_time_in_words(harvest.harvested_at, Time.zone.now)} ago.
+            %small #{standard_time_distance(harvest.harvested_at, Time.zone.now.to_date)}
       %li.list-group-item= link_to "View all #{crop.name} harvests", crop_harvests_path(crop), class: 'card-link'
       - if crop.approved?
         - if current_member

app/views/crops/_openfarm_data.html.haml

@@ -0,0 +1,33 @@
+- if crop.row_spacing || crop.spread || crop.height || crop.sowing_method || crop.sun_requirements || crop.growing_degree_days
+  = cute_icon
+  .card
+    .card-body
+      %h4 OpenFarm Data
+    %ul.list-group.list-group-flush
+      - if crop.row_spacing
+        %li.list-group-item
+          %strong Row Spacing:
+          = crop.row_spacing
+          cm
+      - if crop.spread
+        %li.list-group-item
+          %strong Spread:
+          = crop.spread
+          cm
+      - if crop.height
+        %li.list-group-item
+          %strong Height:
+          = crop.height
+          cm
+      - if crop.sowing_method
+        %li.list-group-item
+          %strong Sowing Method:
+          = crop.sowing_method
+      - if crop.sun_requirements
+        %li.list-group-item
+          %strong Sun Requirements:
+          = crop.sun_requirements
+      - if crop.growing_degree_days
+        %li.list-group-item
+          %strong Growing Degree Days:
+          = crop.growing_degree_days

app/views/crops/show.html.haml

@@ -111,6 +111,8 @@
     = render 'harvests', crop: @crop
     = render 'find_seeds', crop: @crop
 
+    = render 'openfarm_data', crop: @crop
+
     = cute_icon
     .card
       .card-body

app/views/devise/registrations/_edit_apps.html.haml

@@ -15,3 +15,16 @@
                     method: :delete, class: "remove btn btn-danger"
         - else
           = link_to 'Connect to Flickr', '/members/auth/flickr', class: 'btn'
+  %hr
+  .row
+    .col-md-12
+      %p
+        = image_tag "icons/post.svg", size: "32x32", alt: 'API logo'
+        - if current_member.api_token?
+          Your API token is
+          %code= current_member.api_token.token
+          = link_to "Regenerate", regenerate_api_token_path,
+                    data: { confirm: "Are you sure? Your old token will stop working immediately." },
+                    method: :post, class: "remove btn btn-danger"
+        - else
+          = link_to 'Generate API Token', regenerate_api_token_path, method: :post, class: 'btn btn-primary'

app/views/gardens/_previously.haml

@@ -16,3 +16,8 @@
   .col-md-12
     %p Nothing has been planted here.
 
+- if @finished_activities&.size&.positive?
+  %h2 Finished activities in garden
+  .index-cards
+    - @finished_activities.each do |activity|
+      = render "activities/card", activity: activity

app/views/gardens/index.html.haml

@@ -11,6 +11,9 @@
 
 .row
   .col-md-2
+    %small
+      %a{href: "#content"}
+        Skip to main content
     = render 'layouts/nav', model: Garden
     %label
       = link_to show_inactive_tickbox_path('gardens', owner: @owner, show_all: @show_all) do
@@ -20,7 +23,7 @@
       %hr/
       = render @owner
 
-  .col-md-10
+  .col-md-10#content
     - if @gardens.empty?
       %p There are no gardens to display.
       - if can?(:create, Garden) && @owner == current_member

app/views/harvests/_planting.haml

@@ -5,3 +5,8 @@
       - @matching_plantings.each do |planting|
         = f.radio_button :planting_id, planting.id, label: planting
       = f.submit "save", class: 'btn btn-sm'
+
+- if @harvest.planting.present? && @harvest.planting.overall_rating.blank?
+  .alert.alert-info{role: "alert"}
+    This harvest is from a planting that hasn't been rated yet.
+    = link_to "Rate this planting", edit_planting_path(@harvest.planting, anchor: "planting_overall_rating"), class: 'alert-link'

app/views/harvests/show.html.haml

@@ -46,7 +46,7 @@
           %h3
             Harvested
             = editable :date, @harvest, :harvested_at, display_field: '.harvested_at'
-          %strong.harvested_at #{distance_of_time_in_words @harvest.harvested_at, Time.zone.now.to_date} ago
+          %strong.harvested_at #{standard_time_distance @harvest.harvested_at, Time.zone.now.to_date}
           %span.harvested_at= I18n.l @harvest.harvested_at
 
         .card{class: @harvest.quantity.present? ? '' : 'text-muted'}

app/views/home/_stats.html.haml

@@ -5,5 +5,5 @@
      number_crops: link_to(t('.number_crops_linktext', count: Crop.count.to_i), crops_path),
      number_plantings: link_to(t('.number_plantings_linktext', count: Planting.count.to_i), plantings_path),
      number_gardens: link_to(t('.number_gardens_linktext', count: Garden.count.to_i), gardens_path),
-     contributors: link_to(count_github_contibutors, 'http://github.com/Growstuff/growstuff/CONTRIBUTORS.md', target: '_blank', rel: 'noopener'), 
+     contributors: link_to(count_github_contibutors, 'https://github.com/Growstuff/growstuff/blob/dev/CONTRIBUTORS.md', target: '_blank', rel: 'noopener'), 
      github: link_to('GitHub', 'http://github.com/Growstuff/growstuff', target: '_blank', rel: 'noopener'))

app/views/home/index.html.haml

@@ -11,11 +11,11 @@
       %br
       %p
         - if current_member.plantings.active.any?
-          = link_to member_path(current_member, anchor: "#content"), class: 'btn btn-dark' do
+          = link_to member_path(current_member, anchor: "content"), class: 'btn btn-dark' do
             = planting_icon
             Track my plantings
       %p
-        = link_to member_gardens_path(current_member), class: 'btn btn-dark' do
+        = link_to member_gardens_path(current_member, anchor: "content"), class: 'btn btn-dark' do
           = garden_icon
           Show me my garden
 - else

app/views/layouts/_menu.haml

@@ -2,10 +2,10 @@
   %ul.navbar-nav.mr-auto.bg-dark
     - if signed_in?
       %li.nav-item
-        = link_to timeline_index_path, method: :get, class: 'nav-link text-white' do
+        = link_to timeline_index_path, method: :get, class: 'nav-link text-white', title: "Timeline" do
           = image_tag 'icons/notification.svg', class: 'img img-icon', alt: "Notifications"
       %li.nav-item
-        = link_to member_gardens_path(current_member), class: 'nav-link text-white', title: "My gardens" do
+        = link_to member_gardens_path(current_member, anchor: "content"), class: 'nav-link text-white', title: "My gardens" do
           = image_icon 'gardens'
       %li.nav-item.dropdown
         %a.nav-link.dropdown-toggle{"aria-expanded" => "false", "aria-haspopup" => "true", "data-bs-toggle" => "dropdown", href: "#", role: "button"}

app/views/likes/_description.html.haml

@@ -0,0 +1 @@
+#{link_to event_model.member, event_model.member} liked #{link_to event_model.likeable.class.name.downcase, event_model.likeable}

app/views/members/show.html.haml

@@ -28,7 +28,7 @@
                 %a{href: "#content"}
                   Skip to main content
             - if @member.bio.blank?
-              - if can? :edit, @member
+              - if member_signed_in? && current_member == @member
                 = link_to "Add a bio to complete your profile.", edit_member_registration_path
               - else
                 #{@member.login_name} hasn't written a bio yet.
@@ -83,14 +83,14 @@
     .row
       %section.order-3.order-md-1.col-12= render "map", member: @member
       - if @harvesting.size.positive? 
-        %section.harvests.order-2.order-md-1.col-12
+        %section.harvests.order-2.order-md-1.col-12#harvests
           %h2 Ready to harvest
           .index-cards
             - @harvesting.each do |planting|
               = render 'plantings/thumbnail', planting: planting
 
       - if @others.size.positive?
-        %section.planting-progress.order-2.order-md-1.col-12
+        %section.planting-progress.order-2.order-md-1.col-12#planting-progress
           %h2 Progress report
           %p Still growing and not ready for harvesting.
           .list-group
@@ -99,7 +99,7 @@
                 %span= render 'plantings/tiny', planting: planting
                 %span= render 'plantings/progress', planting: planting
       - if @late.size.positive?
-        %section.late.order-2.order-md-1.col-12
+        %section.late.order-2.order-md-1.col-12#late
           %h2 Late
           %p
             These plantings are at the end of their lifecycle.
@@ -109,7 +109,7 @@
             - @late.each do |planting|
               = render 'plantings/thumbnail', planting: planting
       - if @super_late.any?
-        %section.superlate.order-2.order-md-1.col-12
+        %section.superlate.order-2.order-md-1.col-12#superlate
           %h2 Super late
           %p
             We suspect the following plantings finished long ago and no longer need tracking.
@@ -122,14 +122,14 @@
                 planted on #{planting.planted_at.to_date}
 
       - if @harvests.any?
-        %section.havests.order-2.order-md-1.col-12
+        %section.havests.order-2.order-md-1.col-12#recent-harvests
           %h2 Recent Harvests
           .index-cards
             - @harvests.each do |harvest|
               = render 'harvests/thumbnail', harvest: harvest
 
       - if @activity.any?
-        %section.activity.order-2.order-md-1.col-12
+        %section.activity.order-2.order-md-1.col-12#activity
           %h2 Activity
           .list-group
             - @activity.each do |event|

app/views/plantings/_facts.html.haml

@@ -89,3 +89,9 @@
       - if planting.finished_at.present?
         %span.plantingfact--finish
           = planting.finished_at.year
+  - if planting.overall_rating.present?
+    .card.fact-card
+      .card-body
+        %h3 Overall Rating
+        %p.card-text
+          %strong= "#{planting.overall_rating}/5"

app/views/plantings/_form.html.haml

@@ -27,7 +27,7 @@
 
       .row
         .col-md-8
-          = f.collection_radio_buttons(:garden_id, @planting.owner.gardens.active,
+          = f.collection_radio_buttons(:garden_id, @planting.owner.gardens.active.order_by_name,
             :id, :name, required: true,
             label: 'Where did you plant it?')
           = link_to "Add a garden.", new_garden_path
@@ -43,6 +43,15 @@
           = f.select(:sunniness, Planting::SUNNINESS_VALUES, { include_blank: '', label: 'Sun or shade?' } )
         .col-md-4
           = f.number_field :quantity, label: 'How many?', min: 1
+        .col-md-12
+          = f.range_field :overall_rating, min: 1, max: 5, include_blank: 'Leave blank', label: 'Overall Rating', list: "rating-list", title: "How well is the planting going?"
+          %datalist{"id": "rating-list"}
+            %option{"value": "1"} Poor
+            %option{"value": "2"}
+            %option{"value": "3"}
+            %option{"value": "4"}
+            %option{"value": "5"} Great
+
       = f.text_area :description, rows: 6, label: 'Tell us more about it'
 
       .row

app/views/plantings/_modal.html.haml

@@ -9,7 +9,7 @@
         %p Which garden is the planting in?
 
         %ul.list-group
-          - planting.owner.gardens.active.order(:name).each do |garden|
+          - planting.owner.gardens.active.order_by_name.each do |garden|
             %li.list-group-item
               = link_to plantings_path(planting: {crop_id: planting.crop_id, garden_id: garden.id}), method: :post do
                 .md-v-line

app/views/plantings/show.html.haml

@@ -7,6 +7,15 @@
   = tag("meta", property: "og:type", content: "website")
   = tag("meta", property: "og:url", content: request.original_url)
   = tag("meta", property: "og:site_name", content: ENV['GROWSTUFF_SITE_NAME'])
+  - if @planting.overall_rating.present?
+    %script{type: "application/ld+json"}
+      :plain
+        {
+          "@context": "http://schema.org",
+          "@type": "Rating",
+          "ratingValue": "#{@planting.overall_rating}",
+          "bestRating": "5"
+        }
 
 - content_for :breadcrumbs do
   %li.breadcrumb-item= link_to 'Plantings', plantings_path
@@ -80,7 +89,11 @@
           - else
             .col-md-12
               %p Nothing is currently planned here.
-
+        - if @finished_activities&.size&.positive?
+          %h2 Finished activities for planting
+          .index-cards
+            - @finished_activities.each do |activity|
+              = render "activities/card", activity: activity
 
     .col-md-4.col-xs-12
       = render @planting.crop

app/views/seeds/_form.html.haml

@@ -49,17 +49,19 @@
         .col-md-6= f.number_field :days_until_maturity_max, label_as_placeholder: true, label: 'max', prepend: 'to', append: "days", min: 1
 
       .row
-        .col-md-4
-          = f.select(:organic, Seed::ORGANIC_VALUES, {label: 'Organic?', wrapper: { class: 'required'}, required: true}, default: 'unknown')
-        .col-md-4
-          = f.select(:gmo, Seed::GMO_VALUES, {label: 'GMO?', wrapper: { class: 'required'}, required: true}, default: 'unknown')
-        .col-md-4
-          = f.select(:heirloom, Seed::HEIRLOOM_VALUES, {label: 'Heirloom?', wrapper: { class: 'required'}, required: true}, default: 'unknown')
+        .col-md-3
+          = f.select(:organic, Seed::ORGANIC_VALUES, { label: 'Organic?', wrapper: { class: 'required' }, required: true }, default: 'unknown')
+        .col-md-3
+          = f.select(:gmo, Seed::GMO_VALUES, { label: 'GMO?', wrapper: { class: 'required' }, required: true }, default: 'unknown')
+        .col-md-3
+          = f.select(:heirloom, Seed::HEIRLOOM_VALUES, { label: 'Heirloom?', wrapper: { class: 'required' }, required: true }, default: 'unknown')
+        .col-md-3
+          = f.select(:source, Seed::SOURCE_VALUES, { label: 'Source?', wrapper: { class: 'required' }, required: true }, default: 'unknown')
       = f.text_area :description, rows: 6
 
       %hr/
       =  t('.trade_help', site_name: ENV['GROWSTUFF_SITE_NAME'])
-      = f.select(:tradable_to, Seed::TRADABLE_TO_VALUES, {label: 'Will trade', wrapper: { class: 'required'}, required: true})
+      = f.select(:tradable_to, Seed::TRADABLE_TO_VALUES, { label: 'Will trade', wrapper: { class: 'required' }, required: true })
       %span.help_inline
         - if current_member.location.blank?
           Don't forget to

app/views/timeline/_like.html.haml

@@ -0,0 +1,2 @@
+- likeable = like.likeable
+= render "timeline/likeables/#{likeable.class.name.downcase}", likeable: likeable

app/views/timeline/index.html.haml

@@ -14,6 +14,7 @@
               = link_to owner, owner
               = event_description(event)
               = render 'timeline/photos', photo: resolve_model(event) if event.event_type == 'photo'
+              = render 'timeline/like', like: resolve_model(event) if event.event_type == 'like'
             %small
             - if event.event_at.present?
               - if event.event_at.kind_of?(Date)

app/views/timeline/likeables/_photo.html.haml

@@ -0,0 +1 @@
+= render 'timeline/photos', photo: likeable

app/views/timeline/likeables/_post.html.haml

@@ -0,0 +1,6 @@
+.card.my-2
+  .card-body
+    %blockquote.blockquote.mb-0
+      %p= truncate(likeable.body, length: 140)
+      %footer.blockquote-footer
+        = link_to "view post", likeable

config/initializers/jsonapi_resources.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
-
+class UnauthorisedError < JSONAPI::Error
+end
 JSONAPI.configure do |config|
   # built in paginators are :none, :offset, :paged
   config.default_paginator = :offset
   config.default_page_size = 10
   config.maximum_page_size = 100
+  config.exception_class_whitelist = [CanCan::AccessDenied, UnauthorisedError]
 end

config/locales/devise.en.yml

@@ -54,6 +54,7 @@ en:
         You updated your account successfully, but we need to verify your new email address. Please check your email and click on the confirm
         link to finalize confirming your new email address.
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
+      api_token_regenerated: 'Your API token has been regenerated.'
     unlocks:
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account has been unlocked successfully. Please sign in to continue.'

config/routes.rb

@@ -16,6 +16,7 @@ Rails.application.routes.draw do
   }
   devise_scope :member do
     get '/members/unsubscribe/:message' => 'members#unsubscribe', as: 'unsubscribe_member'
+    post '/members/regenerate_api_token' => 'registrations#regenerate_api_token', as: 'regenerate_api_token'
   end
   match '/members/:id/finish_signup' => 'members#finish_signup', via: %i(get patch), as: :finish_signup
 
@@ -141,6 +142,7 @@ Rails.application.routes.draw do
 
   namespace :api do
     namespace :v1 do
+      jsonapi_resources :activities
       jsonapi_resources :crops
       jsonapi_resources :gardens
       jsonapi_resources :harvests

db/migrate/20240101010101_add_fields_to_crops.rb

@@ -0,0 +1,10 @@
+class AddFieldsToCrops < ActiveRecord::Migration[5.2]
+  def change
+    add_column :crops, :row_spacing, :integer
+    add_column :crops, :spread, :integer
+    add_column :crops, :height, :integer
+    add_column :crops, :sowing_method, :string
+    add_column :crops, :sun_requirements, :string
+    add_column :crops, :growing_degree_days, :integer
+  end
+end

db/migrate/20240101010102_populate_crop_fields_from_openfarm_data.rb

@@ -0,0 +1,21 @@
+class PopulateCropFieldsFromOpenfarmData < ActiveRecord::Migration[5.2]
+  def up
+    Crop.find_each do |crop|
+      if crop.openfarm_data.present?
+        attributes = crop.openfarm_data.fetch('attributes', {})
+        crop.update_columns(
+          row_spacing: attributes['row_spacing'],
+          spread: attributes['spread'],
+          height: attributes['height'],
+          sowing_method: attributes['sowing_method'],
+          sun_requirements: attributes['sun_requirements'],
+          growing_degree_days: attributes['growing_degree_days']
+        )
+      end
+    end
+  end
+
+  def down
+    # This migration is not reversible.
+  end
+end

db/migrate/20250901105232_add_source_to_seeds.rb

@@ -0,0 +1,6 @@
+class AddSourceToSeeds < ActiveRecord::Migration[7.2]
+  def change
+    add_column :seeds, :source, :string
+    add_index :seeds, :source
+  end
+end

db/migrate/20250901110545_add_indexes_crops.rb

@@ -0,0 +1,52 @@
+class AddIndexesCrops < ActiveRecord::Migration[7.2]
+  def change
+    add_index :alternate_names, :crop_id
+    add_index :alternate_names, :creator_id
+    add_index :alternate_names, :language
+
+    add_index :comments, :author_id
+
+    add_index :crop_companions, %i(crop_a_id crop_b_id)
+
+    add_index :crops, :creator_id
+    add_index :crops, :parent_id
+
+    add_index :follows, %i(follower_id followed_id)
+
+    add_index :forums, :owner_id
+
+    add_index :harvests, :crop_id
+    add_index :harvests, :owner_id
+    add_index :harvests, :plant_part_id
+
+    add_index :members_roles, %i(member_id role_id)
+
+    add_index :notifications, :sender_id
+    add_index :notifications, :recipient_id
+
+    add_index :orders_products, %i(order_id product_id)
+
+    add_index :photo_associations, :crop_id # TODO: Is this still in use?
+
+    add_index :photos, :owner_id
+    add_index :photos, :source_id
+
+    add_index :photos_plantings, %i(photo_id planting_id)
+
+    add_index :plant_parts, :slug, unique: true
+
+    add_index :plantings, :crop_id
+    add_index :plantings, :garden_id
+    add_index :plantings, :owner_id
+    add_index :plantings, :parent_seed_id
+
+    add_index :posts, :forum_id
+
+    add_index :scientific_names, :crop_id
+    add_index :scientific_names, :creator_id
+
+    add_index :seeds, :owner_id
+    add_index :seeds, :crop_id
+    add_index :seeds, :parent_planting_id
+  end
+end

db/migrate/20250901130830_add_overall_rating_plantings.rb

@@ -0,0 +1,5 @@
+class AddOverallRatingPlantings < ActiveRecord::Migration[7.2]
+  def change
+    add_column :plantings, :overall_rating, :integer
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
+ActiveRecord::Schema[7.2].define(version: 2025_09_01_130830) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -68,6 +68,9 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.datetime "created_at", precision: nil
     t.datetime "updated_at", precision: nil
     t.string "language"
+    t.index ["creator_id"], name: "index_alternate_names_on_creator_id"
+    t.index ["crop_id"], name: "index_alternate_names_on_crop_id"
+    t.index ["language"], name: "index_alternate_names_on_language"
   end
 
   create_table "authentications", id: :serial, force: :cascade do |t|
@@ -209,6 +212,8 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.datetime "created_at", precision: nil
     t.datetime "updated_at", precision: nil
     t.string "commentable_type"
+    t.index ["author_id"], name: "index_comments_on_author_id"
+    t.index ["commentable_type", "commentable_id"], name: "index_comments_on_commentable_type_and_commentable_id"
   end
 
   create_table "crop_companions", force: :cascade do |t|
@@ -216,6 +221,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.integer "crop_b_id", null: false
     t.datetime "created_at", precision: nil, null: false
     t.datetime "updated_at", precision: nil, null: false
+    t.index ["crop_a_id", "crop_b_id"], name: "index_crop_companions_on_crop_a_id_and_crop_b_id"
   end
 
   create_table "crop_posts", id: false, force: :cascade do |t|
@@ -246,7 +252,15 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.jsonb "openfarm_data"
     t.integer "harvests_count", default: 0
     t.integer "photo_associations_count", default: 0
+    t.integer "row_spacing"
+    t.integer "spread"
+    t.integer "height"
+    t.string "sowing_method"
+    t.string "sun_requirements"
+    t.integer "growing_degree_days"
+    t.index ["creator_id"], name: "index_crops_on_creator_id"
     t.index ["name"], name: "index_crops_on_name"
+    t.index ["parent_id"], name: "index_crops_on_parent_id"
     t.index ["requester_id"], name: "index_crops_on_requester_id"
     t.index ["slug"], name: "index_crops_on_slug", unique: true
   end
@@ -256,6 +270,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.integer "followed_id"
     t.datetime "created_at", precision: nil
     t.datetime "updated_at", precision: nil
+    t.index ["follower_id", "followed_id"], name: "index_follows_on_follower_id_and_followed_id"
   end
 
   create_table "forums", id: :serial, force: :cascade do |t|
@@ -265,6 +280,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.datetime "created_at", precision: nil
     t.datetime "updated_at", precision: nil
     t.string "slug"
+    t.index ["owner_id"], name: "index_forums_on_owner_id"
     t.index ["slug"], name: "index_forums_on_slug", unique: true
   end
 
@@ -328,6 +344,9 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.float "si_weight"
     t.integer "planting_id"
     t.integer "likes_count", default: 0
+    t.index ["crop_id"], name: "index_harvests_on_crop_id"
+    t.index ["owner_id"], name: "index_harvests_on_owner_id"
+    t.index ["plant_part_id"], name: "index_harvests_on_plant_part_id"
     t.index ["planting_id"], name: "index_harvests_on_planting_id"
   end
 
@@ -464,6 +483,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
   create_table "members_roles", id: false, force: :cascade do |t|
     t.integer "member_id"
     t.integer "role_id"
+    t.index ["member_id", "role_id"], name: "index_members_roles_on_member_id_and_role_id"
   end
 
   create_table "notifications", id: :serial, force: :cascade do |t|
@@ -477,11 +497,14 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.datetime "updated_at", precision: nil
     t.string "notifiable_type"
     t.index ["notifiable_type", "notifiable_id"], name: "index_notifications_on_notifiable_type_and_notifiable_id"
+    t.index ["recipient_id"], name: "index_notifications_on_recipient_id"
+    t.index ["sender_id"], name: "index_notifications_on_sender_id"
   end
 
   create_table "orders_products", id: false, force: :cascade do |t|
     t.integer "order_id"
     t.integer "product_id"
+    t.index ["order_id", "product_id"], name: "index_orders_products_on_order_id_and_product_id"
   end
 
   create_table "photo_associations", id: :serial, force: :cascade do |t|
@@ -491,6 +514,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.datetime "created_at", precision: nil, null: false
     t.datetime "updated_at", precision: nil, null: false
     t.integer "crop_id"
+    t.index ["crop_id"], name: "index_photo_associations_on_crop_id"
     t.index ["photographable_id", "photographable_type", "photo_id"], name: "items_to_photos_idx", unique: true
     t.index ["photographable_id", "photographable_type"], name: "photographable_idx"
   end
@@ -511,12 +535,15 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.string "source"
     t.integer "comments_count", default: 0
     t.index ["fullsize_url"], name: "index_photos_on_fullsize_url", unique: true
+    t.index ["owner_id"], name: "index_photos_on_owner_id"
+    t.index ["source_id"], name: "index_photos_on_source_id"
     t.index ["thumbnail_url"], name: "index_photos_on_thumbnail_url", unique: true
   end
 
   create_table "photos_plantings", id: false, force: :cascade do |t|
     t.integer "photo_id"
     t.integer "planting_id"
+    t.index ["photo_id", "planting_id"], name: "index_photos_plantings_on_photo_id_and_planting_id"
   end
 
   create_table "photos_seeds", id: false, force: :cascade do |t|
@@ -531,6 +558,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.datetime "updated_at", precision: nil
     t.string "slug"
     t.integer "harvests_count", default: 0
+    t.index ["slug"], name: "index_plant_parts_on_slug", unique: true
   end
 
   create_table "plantings", id: :serial, force: :cascade do |t|
@@ -554,6 +582,11 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.integer "harvests_count", default: 0
     t.integer "likes_count", default: 0
     t.boolean "failed", default: false, null: false
+    t.integer "overall_rating"
+    t.index ["crop_id"], name: "index_plantings_on_crop_id"
+    t.index ["garden_id"], name: "index_plantings_on_garden_id"
+    t.index ["owner_id"], name: "index_plantings_on_owner_id"
+    t.index ["parent_seed_id"], name: "index_plantings_on_parent_seed_id"
     t.index ["slug"], name: "index_plantings_on_slug", unique: true
   end
 
@@ -568,6 +601,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.integer "likes_count", default: 0
     t.integer "comments_count", default: 0
     t.index ["created_at", "author_id"], name: "index_posts_on_created_at_and_author_id"
+    t.index ["forum_id"], name: "index_posts_on_forum_id"
     t.index ["slug"], name: "index_posts_on_slug", unique: true
   end
 
@@ -590,6 +624,8 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.string "gbif_rank"
     t.string "gbif_status"
     t.string "wikidata_id"
+    t.index ["creator_id"], name: "index_scientific_names_on_creator_id"
+    t.index ["crop_id"], name: "index_scientific_names_on_crop_id"
   end
 
   create_table "seeds", id: :serial, force: :cascade do |t|
@@ -611,7 +647,12 @@ ActiveRecord::Schema[7.2].define(version: 2025_08_24_162600) do
     t.date "finished_at"
     t.integer "parent_planting_id"
     t.date "saved_at"
+    t.string "source"
+    t.index ["crop_id"], name: "index_seeds_on_crop_id"
+    t.index ["owner_id"], name: "index_seeds_on_owner_id"
+    t.index ["parent_planting_id"], name: "index_seeds_on_parent_planting_id"
     t.index ["slug"], name: "index_seeds_on_slug", unique: true
+    t.index ["source"], name: "index_seeds_on_source"
   end
 
   add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"

spec/controllers/crops_controller_spec.rb

@@ -100,6 +100,36 @@ describe CropsController do
       it { expect { subject }.to change(Crop, :count).by(1) }
       it { expect { subject }.to change(AlternateName, :count).by(2) }
       it { expect { subject }.to change(ScientificName, :count).by(1) }
+
+      context 'with openfarm data' do
+        let(:crop_params) do
+          {
+            crop:     {
+              name:                'aubergine',
+              en_wikipedia_url:    "https://en.wikipedia.org/wiki/Eggplant",
+              row_spacing:         10,
+              spread:              20,
+              height:              30,
+              sowing_method:       'direct',
+              sun_requirements:    'full sun',
+              growing_degree_days: 100
+            },
+            alt_name: { '1': "egg plant", '2': "purple apple" },
+            sci_name: { '1': "fancy sci name", '2': "" }
+          }
+        end
+
+        it 'saves openfarm data' do
+          subject
+          crop = Crop.last
+          expect(crop.row_spacing).to eq(10)
+          expect(crop.spread).to eq(20)
+          expect(crop.height).to eq(30)
+          expect(crop.sowing_method).to eq('direct')
+          expect(crop.sun_requirements).to eq('full sun')
+          expect(crop.growing_degree_days).to eq(100)
+        end
+      end
     end
   end
 

spec/features/crops/creating_a_crop_spec.rb

@@ -19,6 +19,14 @@ describe "Crop", :js do
         click_button class: "add-altname-row"
         fill_in "alt_name[3]", with: "Jazmin"
         fill_in "alt_name[4]", with: "Matsurika"
+
+        fill_in "crop_row_spacing", with: "12"
+        fill_in "crop_spread", with: "30"
+        fill_in "crop_height", with: "10"
+        fill_in "crop_sowing_method", with: "directly into final position"
+
+        fill_in "crop_sun_requirements", with: "full sun"
+        fill_in "crop_growing_degree_days", with: 100
       end
     end
   end

spec/features/footer_spec.rb

@@ -2,7 +2,7 @@
 
 require 'rails_helper'
 
-describe "footer", :js do
+describe "footer" do
   before { visit root_path }
 
   it "footer is on home page" do

spec/features/members/token_management_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe "member token management", :js do
+  include_context 'signed in member'
+
+  before do
+    visit edit_member_registration_path
+    click_on "Apps"
+  end
+
+  it "can generate an API token" do
+    expect(page).to have_no_content("Your API token is")
+    click_on "Generate API Token"
+    expect(page).to have_content("Your API token is")
+    member.reload
+    expect(member.api_token).to be_present
+  end
+
+  context "with an existing token" do
+    before do
+      member.regenerate_api_token
+      visit edit_member_registration_path
+      click_on "Apps"
+    end
+
+    it "can regenerate an API token" do
+      old_token = member.api_token.token
+      expect(page).to have_content("Your API token is")
+      accept_confirm do
+        click_on "Regenerate"
+      end
+      expect(page).to have_content("Your API token is")
+      expect(member.reload.api_token.token).not_to eq(old_token)
+    end
+  end
+end

spec/features/plantings/planting_a_crop_spec.rb

@@ -198,6 +198,7 @@ describe "Planting a crop", :js, :search do
       within "form#new_planting" do
         fill_in "When?", with: "2014-07-01"
         check "Mark as finished"
+        find_by_id('planting_overall_rating').set 4
         fill_in "Finished date", with: "2014-08-30"
         uncheck 'Mark as finished'
       end
@@ -220,6 +221,7 @@ describe "Planting a crop", :js, :search do
       expect(page).to have_content "planting was successfully created"
       expect(page).to have_content "Finished"
       expect(page).to have_content "Aug 2014"
+      expect(page).to have_content "4/5"
 
       # ensure we've indexed in elastic search
       planting.reindex(refresh: true)

spec/features/seeds/misc_seeds_spec.rb

@@ -49,6 +49,7 @@ describe "seeds", :js do
       click_link 'Edit'
       expect(page).to have_current_path edit_seed_path(seed), ignore_query: true
       fill_in 'Quantity', with: seed.quantity * 2
+      select 'traded from another person', from: 'Source'
       click_button 'Save'
       expect(page).to have_current_path seed_path(seed), ignore_query: true
     end

spec/features/signin_spec.rb

@@ -2,7 +2,7 @@
 
 require 'rails_helper'
 
-describe "signin", :js do
+describe "signin" do
   let(:member)       { FactoryBot.create(:member)                             }
   let(:recipient)    { FactoryBot.create(:member)                             }
   let(:wrangler)     { FactoryBot.create(:crop_wrangling_member)              }

spec/features/signup_spec.rb

@@ -2,7 +2,7 @@
 
 require 'rails_helper'
 
-describe "signup", :js do
+describe "signup" do
   it "sign up for new account from top menubar" do
     visit crops_path # something other than front page, which has multiple signup links
     click_link 'Sign up'

spec/features/timeline/index_spec.rb

@@ -17,6 +17,10 @@ describe "timeline", :js do
     let!(:friend_harvest) { FactoryBot.create(:planting, owner: friend2, planted_at: 3.years.ago) }
     let!(:finished_planting) { FactoryBot.create(:finished_planting, owner: friend1) }
     let!(:no_planted_at_planting) { FactoryBot.create(:planting, owner: friend2, planted_at: nil) }
+    let!(:friend_photo) { FactoryBot.create(:photo, owner: friend1) }
+    let!(:friend_post) { FactoryBot.create(:post, author: friend2) }
+    let!(:liked_post) { FactoryBot.create(:like, likeable: friend_photo, member: friend2) }
+    let!(:liked_photo) { FactoryBot.create(:like, likeable: friend_post, member: friend1) }
 
     before do
       login_as(member)
@@ -28,6 +32,8 @@ describe "timeline", :js do
       it { expect(page).to have_link href: planting_path(friend_harvest) }
       it { expect(page).to have_link href: planting_path(finished_planting) }
       it { expect(page).to have_no_link href: planting_path(no_planted_at_planting) }
+      it { expect(page).to have_link href: photo_path(friend_photo) }
+      it { expect(page).to have_link href: post_path(friend_post) }
     end
 
     describe 'shows the friends you follow' do

spec/requests/api/v1/activities_request_spec.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Activities', type: :request do
+  subject { JSON.parse response.body }
+
+  let(:headers) { { 'Accept' => 'application/vnd.api+json' } }
+  let!(:activity) { FactoryBot.create(:activity, garden: create(:garden), planting: create(:planting)) }
+  let!(:activity2) { FactoryBot.create(:activity) }
+
+  it '#index' do
+    get('/api/v1/activities', params: {}, headers:)
+    expect(subject['data'].size).to eq(2)
+  end
+
+  it '#show' do
+    get("/api/v1/activities/#{activity.id}", params: {}, headers:)
+    expect(subject['data']['id']).to eq(activity.id.to_s)
+  end
+
+  context 'filtering' do
+    it 'filters by owner' do
+      get("/api/v1/activities?filter[owner-id]=#{activity.owner.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(activity.id.to_s)
+    end
+
+    it 'filters by garden' do
+      get("/api/v1/activities?filter[garden-id]=#{activity.garden.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(activity.id.to_s)
+    end
+
+    it 'filters by planting' do
+      get("/api/v1/activities?filter[planting-id]=#{activity.planting.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(activity.id.to_s)
+    end
+
+    it 'filters by category' do
+      get("/api/v1/activities?filter[category]=#{activity.category}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(2)
+      expect(subject['data'][0]['id']).to eq(activity.id.to_s)
+      expect(subject['data'][1]['id']).to eq(activity2.id.to_s)
+    end
+  end
+end

spec/requests/api/v1/gardens_request_spec.rb

@@ -50,21 +50,138 @@ RSpec.describe 'Gardens', type: :request do
     expect(subject['data']).to include(garden_encoded_as_json_api)
   end
 
-  it '#create' do
-    expect do
-      post '/api/v1/gardens', params: { 'garden' => { 'name' => 'can i make this' } }, headers:
-    end.to raise_error ActionController::RoutingError
+  context 'filtering' do
+    let!(:garden2) { FactoryBot.create(:garden, active: false, garden_type: FactoryBot.create(:garden_type)) }
+
+    pending 'filters by active' do
+      get('/api/v1/gardens?filter[active]=true', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(garden.id.to_s)
+    end
+
+    it 'filters by garden_type' do
+      get("/api/v1/gardens?filter[garden_type]=#{garden2.garden_type.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(garden2.id.to_s)
+    end
+
+    it 'filters by owner' do
+      get("/api/v1/gardens?filter[owner_id]=#{garden2.owner.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(2)
+      expect(subject['data'][1]['id']).to eq(garden2.id.to_s)
+    end
   end
 
-  it '#update' do
-    expect do
-      post "/api/v1/gardens/#{garden.id}", params: { 'garden' => { 'name' => 'can i modify this' } }, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#create' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:garden_params) do
+      {
+        data: {
+          type:       'gardens',
+          attributes: {
+            name: 'My API Garden'
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      post '/api/v1/gardens', params: garden_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 201 Created with a valid token' do
+      post '/api/v1/gardens', params: garden_params, headers: auth_headers
+      expect(response).to have_http_status(:created)
+      expect(member.gardens.count).to eq(2) # 1 from after_create callback, 1 from api
+    end
   end
 
-  it '#delete' do
-    expect do
-      delete "/api/v1/gardens/#{garden.id}", params: {}, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#update' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:garden) { create(:garden, owner: member) }
+    let(:other_member_garden) { create(:garden) }
+    let(:update_params) do
+      {
+        data: {
+          type:       'gardens',
+          id:         garden.id.to_s,
+          attributes: {
+            name: 'An updated garden'
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      patch "/api/v1/gardens/#{garden.id}", params: update_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 200 OK with a valid token for own garden' do
+      patch "/api/v1/gardens/#{garden.id}", params: update_params, headers: auth_headers
+      expect(response).to have_http_status(:ok)
+      expect(garden.reload.name).to eq('An updated garden')
+    end
+
+    it 'returns 403 Forbidden for another member\'s garden' do
+      update_params_for_other = {
+        data: {
+          type:       'gardens',
+          id:         other_member_garden.id.to_s,
+          attributes: {
+            name: 'An updated garden'
+          }
+        }
+      }.to_json
+      patch "/api/v1/gardens/#{other_member_garden.id}", params: update_params_for_other, headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  describe '#delete' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let!(:garden) { create(:garden, owner: member) }
+    let(:other_member_garden) { create(:garden) }
+
+    it 'returns 401 Unauthorized without a token' do
+      delete "/api/v1/gardens/#{garden.id}", headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 204 No Content with a valid token for own garden' do
+      delete "/api/v1/gardens/#{garden.id}", headers: auth_headers
+      expect(response).to have_http_status(:no_content)
+      expect(Garden.find_by(id: garden.id)).to be_nil
+    end
+
+    it 'returns 403 Forbidden for another member\'s garden' do
+      delete "/api/v1/gardens/#{other_member_garden.id}", headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 end

spec/requests/api/v1/harvests_request_spec.rb

@@ -76,25 +76,153 @@ RSpec.describe 'Harvests', type: :request do
     it { expect(subject['data']).to eq(harvest_encoded_as_json_api) }
   end
 
-  it '#create' do
-    expect do
-      put '/api/v1/harvests', headers:, params: {
-        'harvest' => { 'description' => 'can i make this' }
-      }
-    end.to raise_error ActionController::RoutingError
+  context 'filtering' do
+    let!(:harvest2) { FactoryBot.create(:harvest, planting: create(:planting)) }
+
+    it 'filters by crop' do
+      get("/api/v1/harvests?filter[crop_id]=#{harvest2.crop.id}", params: {}, headers:)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(harvest2.id.to_s)
+    end
+
+    it 'filters by planting' do
+      get("/api/v1/harvests?filter[planting_id]=#{harvest2.planting.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(harvest2.id.to_s)
+    end
+
+    it 'filters by plant_part' do
+      get("/api/v1/harvests?filter[plant_part]=#{harvest2.plant_part.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(harvest2.id.to_s)
+    end
+
+    it 'filters by owner' do
+      get("/api/v1/harvests?filter[owner_id]=#{harvest2.owner.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(harvest2.id.to_s)
+    end
   end
 
-  it '#update' do
-    expect do
-      post "/api/v1/harvests/#{harvest.id}", headers:, params: {
-        'harvest' => { 'description' => 'can i modify this' }
-      }
-    end.to raise_error ActionController::RoutingError
+  describe '#create' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:crop) { create(:crop) }
+    let(:planting) { create(:planting, owner: member) }
+    let(:plant_part) { create(:plant_part) }
+    let(:harvest_params) do
+      {
+        data: {
+          type:          'harvests',
+          attributes:    {
+            description: 'My API harvests'
+          },
+          relationships: {
+            planting: { data: { type: 'plantings', id: planting.id } }
+            # plant_part: { data: { type: 'plant_parts', id: plant_part.id } }
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      post '/api/v1/harvests', params: harvest_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 201 Created with a valid token' do
+      post '/api/v1/harvests', params: harvest_params, headers: auth_headers
+
+      expect(response).to have_http_status(:created)
+      expect(member.harvests.count).to eq(1)
+    end
   end
 
-  it '#delete' do
-    expect do
-      delete "/api/v1/harvests/#{harvest.id}", headers:, params: {}
-    end.to raise_error ActionController::RoutingError
+  describe '#update' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:harvest) { create(:harvest, owner: member) }
+    let(:other_member_harvest) { create(:harvest) }
+    let(:update_params) do
+      {
+        data: {
+          type:       'harvests',
+          id:         harvest.id.to_s,
+          attributes: {
+            description: 'An updated harvest'
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      patch "/api/v1/harvests/#{harvest.id}", params: update_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 200 OK with a valid token for own harvest' do
+      patch "/api/v1/harvests/#{harvest.id}", params: update_params, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      expect(harvest.reload.description).to eq('An updated harvest')
+    end
+
+    it 'returns 403 Forbidden for another member\'s harvest' do
+      update_params_for_other = {
+        data: {
+          type:       'harvests',
+          id:         other_member_harvest.id.to_s,
+          attributes: {
+            description: 'An updated harvest'
+          }
+        }
+      }.to_json
+      patch "/api/v1/harvests/#{other_member_harvest.id}", params: update_params_for_other, headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  describe '#delete' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let!(:harvest) { create(:harvest, owner: member) }
+    let(:other_member_harvest) { create(:harvest) }
+
+    it 'returns 401 Unauthorized without a token' do
+      delete "/api/v1/harvests/#{harvest.id}", headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 204 No Content with a valid token for own harvest' do
+      delete "/api/v1/harvests/#{harvest.id}", headers: auth_headers
+      expect(response).to have_http_status(:no_content)
+      expect(Garden.find_by(id: harvest.id)).to be_nil
+    end
+
+    it 'returns 403 Forbidden for another member\'s harvest' do
+      delete "/api/v1/harvests/#{other_member_harvest.id}", headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 end

spec/requests/api/v1/plantings_request_spec.rb

@@ -95,24 +95,119 @@ RSpec.describe 'Plantings', type: :request do
     expect(subject['data']).to eq(planting_encoded_as_json_api)
   end
 
-  it '#create' do
-    expect do
-      post '/api/v1/plantings', params: { 'planting' => { 'description' => 'can i make this' } }, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#create' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:crop) { create(:crop) }
+    let(:garden) { create(:garden, owner: member) }
+    let(:planting_params) do
+      {
+        data: {
+          type:          'plantings',
+          attributes:    {
+            description: 'My API plantings'
+          },
+          relationships: {
+            crop:   { data: { type: 'crops', id: crop.id } },
+            garden: { data: { type: 'gardens', id: garden.id } }
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      post '/api/v1/plantings', params: planting_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 201 Created with a valid token' do
+      post '/api/v1/plantings', params: planting_params, headers: auth_headers
+
+      expect(response).to have_http_status(:created)
+      expect(member.plantings.count).to eq(1)
+    end
   end
 
-  it '#update' do
-    expect do
-      post "/api/v1/plantings/#{planting.id}", headers:, params: {
-        'planting' => { 'description' => 'can i modify this' }
-      }
-    end.to raise_error ActionController::RoutingError
+  describe '#update' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:planting) { create(:planting, owner: member) }
+    let(:other_member_planting) { create(:planting) }
+    let(:update_params) do
+      {
+        data: {
+          type:       'plantings',
+          id:         planting.id.to_s,
+          attributes: {
+            description: 'An updated planting'
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      patch "/api/v1/plantings/#{planting.id}", params: update_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 200 OK with a valid token for own planting' do
+      patch "/api/v1/plantings/#{planting.id}", params: update_params, headers: auth_headers
+
+      expect(response).to have_http_status(:ok)
+      expect(planting.reload.description).to eq('An updated planting')
+    end
+
+    it 'returns 403 Forbidden for another member\'s planting' do
+      update_params_for_other = {
+        data: {
+          type:       'plantings',
+          id:         other_member_planting.id.to_s,
+          attributes: {
+            description: 'An updated planting'
+          }
+        }
+      }.to_json
+      patch "/api/v1/plantings/#{other_member_planting.id}", params: update_params_for_other, headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 
-  it '#delete' do
-    expect do
-      delete "/api/v1/plantings/#{planting.id}", params: {}, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#delete' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let!(:planting) { create(:planting, owner: member) }
+    let(:other_member_planting) { create(:planting) }
+
+    it 'returns 401 Unauthorized without a token' do
+      delete "/api/v1/plantings/#{planting.id}", headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 204 No Content with a valid token for own planting' do
+      delete "/api/v1/plantings/#{planting.id}", headers: auth_headers
+      expect(response).to have_http_status(:no_content)
+      expect(Garden.find_by(id: planting.id)).to be_nil
+    end
+
+    it 'returns 403 Forbidden for another member\'s planting' do
+      delete "/api/v1/plantings/#{other_member_planting.id}", headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 
   describe "by member/owner" do
@@ -140,4 +235,37 @@ RSpec.describe 'Plantings', type: :request do
       end
     end
   end
+
+  context 'filtering' do
+    let!(:planting2) { FactoryBot.create(:planting, failed: true, sunniness: 'shade') }
+    let!(:perennial_planting) { FactoryBot.create(:planting, crop: FactoryBot.create(:crop, perennial: true)) }
+
+    it 'filters by failed' do
+      get('/api/v1/plantings?filter[failed]=true', params: {}, headers:)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(planting2.id.to_s)
+    end
+
+    it 'filters by sunniness' do
+      get('/api/v1/plantings?filter[sunniness]=shade', params: {}, headers:)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(planting2.id.to_s)
+    end
+
+    it 'filters by perennial' do
+      get('/api/v1/plantings?filter[perennial]=true', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(perennial_planting.id.to_s)
+    end
+
+    it 'filters by active' do
+      get('/api/v1/plantings?filter[active]=true', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(2)
+      expect(subject['data'][0]['id']).to eq(planting.id.to_s)
+    end
+  end
 end

spec/requests/api/v1/seeds_request_spec.rb

@@ -61,21 +61,170 @@ RSpec.describe 'Seeds', type: :request do
     it { expect(subject['data']).to eq(seed_encoded_as_json_api) }
   end
 
-  it '#create' do
-    expect do
-      post '/api/v1/seeds', params: { 'seed' => { 'name' => 'can i make this' } }, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#create' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:crop) { create(:crop) }
+    let(:seed_params) do
+      {
+        data: {
+          type:          'seeds',
+          attributes:    {
+            description: 'My API seeds'
+          },
+          relationships: {
+            crop: { data: { type: 'crops', id: crop.id } }
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      post '/api/v1/seeds', params: seed_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 201 Created with a valid token' do
+      post '/api/v1/seeds', params: seed_params, headers: auth_headers
+      expect(response).to have_http_status(:created)
+      expect(member.seeds.count).to eq(1)
+    end
   end
 
-  it '#update' do
-    expect do
-      post "/api/v1/seeds/#{seed.id}", params: { 'seed' => { 'name' => 'can i modify this' } }, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#update' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:crop) { create(:crop) }
+    let(:seed) { create(:seed, owner: member, crop: crop) }
+    let(:other_member_seed) { create(:seed) }
+    let(:update_params) do
+      {
+        data: {
+          type:       'seeds',
+          id:         seed.id.to_s,
+          attributes: {
+            description: 'An updated seed'
+          }
+        }
+      }.to_json
+    end
+
+    it 'returns 401 Unauthorized without a token' do
+      patch "/api/v1/seeds/#{seed.id}", params: update_params, headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 200 OK with a valid token for own seed' do
+      patch "/api/v1/seeds/#{seed.id}", params: update_params, headers: auth_headers
+      expect(response).to have_http_status(:ok)
+      expect(seed.reload.description).to eq('An updated seed')
+    end
+
+    it 'returns 403 Forbidden for another member\'s seed' do
+      update_params_for_other = {
+        data: {
+          type:       'seeds',
+          id:         other_member_seed.id.to_s,
+          attributes: {
+            description: 'An updated seed'
+          }
+        }
+      }.to_json
+      patch "/api/v1/seeds/#{other_member_seed.id}", params: update_params_for_other, headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
   end
 
-  it '#delete' do
-    expect do
-      delete "/api/v1/seeds/#{seed.id}", params: {}, headers:
-    end.to raise_error ActionController::RoutingError
+  describe '#delete' do
+    let!(:member) { create(:member) }
+    let(:token) do
+      member.regenerate_api_token
+      member.api_token.token
+    end
+    let(:headers) { { 'Accept' => 'application/vnd.api+json', 'Content-Type' => 'application/vnd.api+json' } }
+    let(:auth_headers) { headers.merge('Authorization' => "Token token=#{token}") }
+    let(:crop) { create(:crop) }
+    let!(:seed) { create(:seed, owner: member, crop: crop) }
+    let(:other_member_seed) { create(:seed) }
+
+    it 'returns 401 Unauthorized without a token' do
+      delete "/api/v1/seeds/#{seed.id}", headers: headers
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    it 'returns 204 No Content with a valid token for own seed' do
+      delete "/api/v1/seeds/#{seed.id}", headers: auth_headers
+      expect(response).to have_http_status(:no_content)
+      expect(Seed.find_by(id: seed.id)).to be_nil
+    end
+
+    it 'returns 403 Forbidden for another member\'s seed' do
+      delete "/api/v1/seeds/#{other_member_seed.id}", headers: auth_headers
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  context 'filtering' do
+    let!(:seed2) do
+      FactoryBot.create(:seed, tradable_to: 'nationally', organic: 'certified organic', gmo: 'certified GMO-free', heirloom: 'heirloom')
+    end
+
+    it 'filters by crop' do
+      get("/api/v1/seeds?filter[crop]=#{seed2.crop.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(seed2.id.to_s)
+    end
+
+    it 'filters by tradable_to' do
+      get('/api/v1/seeds?filter[tradable_to]=nationally', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(seed2.id.to_s)
+    end
+
+    it 'filters by organic' do
+      get('/api/v1/seeds?filter[organic]=certified organic', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(seed2.id.to_s)
+    end
+
+    it 'filters by gmo' do
+      get('/api/v1/seeds?filter[gmo]=certified GMO-free', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(seed2.id.to_s)
+    end
+
+    it 'filters by heirloom' do
+      get('/api/v1/seeds?filter[heirloom]=heirloom', params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(seed2.id.to_s)
+    end
+
+    it 'filters by owner' do
+      get("/api/v1/seeds?filter[owner_id]=#{seed2.owner.id}", params: {}, headers:)
+
+      expect(response).to have_http_status(:ok)
+      expect(subject['data'].size).to eq(1)
+      expect(subject['data'][0]['id']).to eq(seed2.id.to_s)
+    end
   end
 end