spree 0.9.1 → 0.9.2

data/CHANGELOG

@@ -1,3 +1,7 @@
+== 0.9.2
+
+* # - 837 Do not allow edit or update of completed checkout (SECURITY FIX)
+
 == 0.9.1
 
 * # - 813 Fixed compass gem dependency issue caused by Github changes

data/app/controllers/checkouts_controller.rb

@@ -1,6 +1,7 @@
 class CheckoutsController < Spree::BaseController 
   include ActionView::Helpers::NumberHelper # Needed for JS usable rate information
   before_filter :load_data
+  before_filter :prevent_editing_complete_order, :only => [:edit, :update]
   
   resource_controller :singleton
   belongs_to :order             
@@ -155,4 +156,9 @@ class CheckoutsController < Spree::BaseController
   def credit_hash
     Hash[*@order.credits.select {|c| c.amount !=0 }.collect { |c| [c.description, number_to_currency(c.amount)] }.flatten]    
   end
+  
+  def prevent_editing_complete_order      
+    load_object
+    redirect_to order_url(parent_object) if @order.checkout_complete
+  end  
 end

data/config/environment.rb

@@ -5,7 +5,7 @@
 # ENV['RAILS_ENV'] ||= 'production'
 
 # Specifies gem version of Rails to use when vendor/rails is not present
-SPREE_GEM_VERSION = '0.9.1' unless defined? SPREE_GEM_VERSION
+SPREE_GEM_VERSION = '0.9.2' unless defined? SPREE_GEM_VERSION
           
 # Bootstrap the Rails environment, frameworks, and default configuration
 require File.join(File.dirname(__FILE__), 'boot')
@@ -31,8 +31,8 @@ Spree::Initializer.run do |config|
   config.gem "activemerchant", :lib => "active_merchant", :version => '>=1.4.1'
   config.gem "tlsmail", :version => '0.0.1'
   config.gem 'activerecord-tableless', :lib => 'tableless', :version => '>=0.1.0'
-  config.gem 'haml', :version => '2.2.0'
-  config.gem 'chriseppstein-compass', :lib => 'compass', :source => "http://gems.github.com", :version => '0.8.17'
+  config.gem 'haml', :version => '>=2.2.0'
+  config.gem 'compass', :version => '0.8.17', :source => "http://gemcutter.org"
   config.gem 'calendar_date_select', :version => '1.15'    
   config.gem 'rsl-stringex', :lib => 'stringex', :source => "http://gems.github.com"
   config.gem 'chronic' #required for whenever

data/db/sample/checkouts.yml

@@ -3,6 +3,6 @@ checkout_<%= i %>:
   bill_address: frank_bill_address_<%= i %>
   email: frank.foo@example.com 
   order: order_<%= i %>
-  completed_at: <%=Time.now%>
+  completed_at: <%=Time.now.to_s(:db)%>
   ip_address: 127.0.0.1
 <% end %>

data/lib/spree.rb

@@ -9,7 +9,7 @@ unless defined? Spree::Version
     module Version
       Major = '0'
       Minor = '9'
-      Tiny  = '1'
+      Tiny  = '2'
 
       class << self
         def to_s

data/public/javascripts/calendar_date_select/format_db.js

@@ -0,0 +1,27 @@
+// DB No Seconds Format: 2007-12-05 12:00
+
+Date.padded2 = function(hour) { padded2 = hour.toString(); if ((parseInt(hour) < 10) || (parseInt(hour) == null)) padded2="0" + padded2; return padded2; }
+Date.prototype.getAMPMHour = function() { hour=Date.padded2(this.getHours()); return (hour == null) ? 00 : (hour > 24 ? hour - 24 : hour ) }
+Date.prototype.getAMPM = function() { return (this.getHours() < 12) ? "" : ""; }
+
+Date.prototype.toFormattedString = function(include_time){
+  str = this.getFullYear() + "-" + (this.getMonth() + 1) + "-" + Date.padded2(this.getDate());
+  if (include_time) { hour=this.getHours(); str += " " + this.getAMPMHour() + ":" + this.getPaddedMinutes() }
+  return str;
+}
+
+Date.parseFormattedString = function (string) {
+  var regexp = '([0-9]{4})-(([0-9]{1,2})-(([0-9]{1,2})( ([0-9]{1,2}):([0-9]{2})? *)?)?)?';
+  var d = string.match(new RegExp(regexp, "i"));
+  if (d==null) return Date.parse(string); // at least give javascript a crack at it.
+  var offset = 0;
+  var date = new Date(d[1], 0, 1);
+  if (d[3]) { date.setMonth(d[3] - 1); }
+  if (d[5]) { date.setDate(d[5]); }
+  if (d[7]) {
+    date.setHours(parseInt(d[7], 10));    
+  }
+  if (d[8]) { date.setMinutes(d[8]); }
+  if (d[10]) { date.setSeconds(d[10]); }
+  return date;
+}

data/public/javascripts/calendar_date_select/format_euro_24hr_ymd.js

@@ -0,0 +1,7 @@
+// Formats date and time as "2000.01.20 17:00"
+Date.prototype.toFormattedString = function(include_time)
+{
+   str = this.getFullYear() + "." + Date.padded2(this.getMonth()+1) + "." + Date.padded2(this.getDate());
+   if (include_time) { str += " " + this.getHours() + ":" + this.getPaddedMinutes() }
+   return str;
+}

data/public/javascripts/calendar_date_select/format_iso_date.js

@@ -0,0 +1,46 @@
+Date.prototype.toFormattedString = function(include_time) {
+	var hour;
+    var str = this.getFullYear() + "-" + Date.padded2(this.getMonth() + 1) + "-" +Date.padded2(this.getDate());
+    if (include_time) {
+        hour = this.getHours();
+        str += " " + this.getHours() + ":" + this.getPaddedMinutes();
+    }
+    return str;
+};
+
+Date.parseFormattedString = function (string) {
+
+    var regexp = "([0-9]{4})(-([0-9]{2})(-([0-9]{2})" + 
+        "( ([0-9]{1,2}):([0-9]{2})?" +
+        "?)?)?)?"; 
+
+    var d = string.match(new RegExp(regexp, "i"));
+    if (d === null) {
+        return Date.parse(string); // at least give javascript a crack at it.
+    }
+    var offset = 0; 
+    var date = new Date(d[1], 0, 1); 
+    if (d[3]) {
+        date.setMonth(d[3] - 1);
+    } 
+    if (d[5]) {
+        date.setDate(d[5]);
+    } 
+    if (d[7]) {
+        date.setHours(d[7]);
+    } 
+    if (d[8]) {
+        date.setMinutes(d[8]);
+    } 
+    if (d[0]) {
+        date.setSeconds(d[0]);
+    } 
+    if (d[2]) {
+        date.setMilliseconds(Number("0." + d[2]));
+    } 
+    if (d[4]) {
+        offset = (Number(d[6])) + Number(d[8]);
+        offset = ((d[5] == '-') ? 1 : -1); 
+    } 
+    return date; 
+};

data/public/javascripts/calendar_date_select/locale/de.js

@@ -0,0 +1,11 @@
+Date.weekdays = $w('Mo Di Mi Do Fr Sa So');
+Date.months = $w('Januar Februar März April Mai Juni Juli August September Oktober November Dezember');
+
+Date.first_day_of_week = 1;
+
+_translations = {
+  "OK": "OK",
+  "Now": "Jetzt",
+  "Today": "Heute",
+  "Clear": "Löschen"
+}

data/public/javascripts/calendar_date_select/locale/fi.js

@@ -0,0 +1,10 @@
+Date.weekdays = $w("Ma Ti Ke To Pe La Su");
+Date.months = $w("Tammikuu Helmikuu Maaliskuu Huhtikuu Toukokuu Kes�kuu Hein�kuu Elokuu Syyskuu Lokakuu Marraskuu Joulukuu" );
+
+Date.first_day_of_week = 1
+
+_translations = {
+  "OK": "OK",
+  "Now": "Nyt",
+  "Today": "T�n��n"
+}

data/public/javascripts/calendar_date_select/locale/fr.js

@@ -0,0 +1,10 @@
+Date.weekdays = $w('L Ma Me J V S D');
+Date.months = $w('Janvier Février Mars Avril Mai Juin Juillet Août Septembre Octobre Novembre Décembre');
+
+Date.first_day_of_week = 1;
+
+_translations = {
+  "OK": "OK",
+  "Now": "Maintenant",
+  "Today": "Aujourd'hui"
+}

data/public/javascripts/calendar_date_select/locale/pl.js

@@ -0,0 +1,10 @@
+Date.weekdays = $w('P W Ś C P S N');
+Date.months = $w('Styczeń Luty Marzec Kwiecień Maj Czerwiec Lipiec Sierpień Wrzesień Październik Listopad Grudzień');
+
+Date.first_day_of_week = 1
+
+_translations = {
+  "OK": "OK",
+  "Now": "Teraz",
+  "Today": "Dziś"
+}

data/public/javascripts/calendar_date_select/locale/pt.js

@@ -0,0 +1,11 @@
+Date.weekdays = $w('D S T Q Q S S');
+Date.months = $w('Janeiro Fevereiro Março Abril Maio Junho Julho Agosto Setembro Outubro Novembro Dezembro');
+
+Date.first_day_of_week = 0
+
+_translations = {
+  "OK": "OK",
+  "Now": "Agora",
+  "Today": "Hoje",
+  "Clear": "Limpar"
+}

data/public/javascripts/calendar_date_select/locale/ru.js

@@ -0,0 +1,10 @@
+Date.weekdays = $w('Пн Вт Ср Чт Пт Сб Вс');
+Date.months = $w('Январь Февраль Март Апрель Май Июнь Июль Август Сентябрь Октябрь Ноябрь Декабрь');
+
+Date.first_day_of_week = 1
+
+_translations = {
+  "OK": "OK",
+  "Now": "Сейчас",
+  "Today": "Сегодня"
+}

data/public/stylesheets/compiled/screen.css

@@ -682,7 +682,7 @@ input.span-24, textarea.span-24, select.span-24 {
   margin-bottom: 1.5em; }
 
 .showgrid {
-  background: url('/grid.png'); }
+  background: url(/images/grid.png?1256001707); }
 
 .error {
   padding: .8em;

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: spree
 version: !ruby/object:Gem::Version 
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors: 
 - Sean Schofield
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-10-13 00:00:00 -04:00
+date: 2009-10-20 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -446,8 +446,6 @@ files:
 - app/views/admin/zones/edit.html.erb
 - app/views/admin/zones/index.html.erb
 - app/views/admin/zones/new.html.erb
-- app/views/calculators
-- app/views/charges
 - app/views/checkouts
 - app/views/checkouts/_billing.html.erb
 - app/views/checkouts/_confirmation.html.erb
@@ -1423,7 +1421,6 @@ files:
 - public/images/flags/de.png
 - public/images/flags/de_CH.png
 - public/images/flags/dj.png
-- public/images/flags/dk.png
 - public/images/flags/dm.png
 - public/images/flags/do.png
 - public/images/flags/dz.png
@@ -1619,7 +1616,6 @@ files:
 - public/images/grid.png
 - public/images/left_01.png
 - public/images/left_01_small.png
-- public/images/lightbox
 - public/images/master_cid.jpg
 - public/images/menu-current.png
 - public/images/menu-hover.png
@@ -1630,7 +1626,6 @@ files:
 - public/images/orange
 - public/images/orange/left_03.png
 - public/images/orange/right_03.png
-- public/images/pp_checkout.gif
 - public/images/progress.gif
 - public/images/rails.png
 - public/images/right_01.png
@@ -1683,10 +1678,20 @@ files:
 - public/javascripts/calendar_date_select
 - public/javascripts/calendar_date_select/calendar_date_select.js
 - public/javascripts/calendar_date_select/format_american.js
+- public/javascripts/calendar_date_select/format_db.js
 - public/javascripts/calendar_date_select/format_euro_24hr.js
+- public/javascripts/calendar_date_select/format_euro_24hr_ymd.js
 - public/javascripts/calendar_date_select/format_finnish.js
 - public/javascripts/calendar_date_select/format_hyphen_ampm.js
+- public/javascripts/calendar_date_select/format_iso_date.js
 - public/javascripts/calendar_date_select/format_italian.js
+- public/javascripts/calendar_date_select/locale
+- public/javascripts/calendar_date_select/locale/de.js
+- public/javascripts/calendar_date_select/locale/fi.js
+- public/javascripts/calendar_date_select/locale/fr.js
+- public/javascripts/calendar_date_select/locale/pl.js
+- public/javascripts/calendar_date_select/locale/pt.js
+- public/javascripts/calendar_date_select/locale/ru.js
 - public/javascripts/checkout.js
 - public/javascripts/controls.js
 - public/javascripts/dragdrop.js
@@ -1771,8 +1776,6 @@ files:
 - public/stylesheets/compiled/ie.css
 - public/stylesheets/compiled/print.css
 - public/stylesheets/compiled/screen.css
-- public/stylesheets/orders
-- public/stylesheets/prototypes
 - public/stylesheets/sass
 - public/stylesheets/sass/_buttons.sass
 - public/stylesheets/sass/_cart.sass
@@ -1790,16 +1793,6 @@ files:
 - public/stylesheets/sass/print.sass
 - public/stylesheets/sass/screen.sass
 - public/stylesheets/scaffold.css
-- public/Users
-- public/Users/schof
-- public/Users/schof/open_source
-- public/Users/schof/open_source/spree
-- public/Users/schof/open_source/spree/vendor
-- public/Users/schof/open_source/spree/vendor/extensions
-- public/Users/schof/open_source/spree/vendor/extensions/localization
-- public/Users/schof/open_source/spree/vendor/extensions/localization/public
-- public/Users/schof/open_source/spree/vendor/extensions/localization/public/images
-- public/Users/schof/open_source/spree/vendor/extensions/localization/public/images/flags
 - Rakefile
 - README.markdown
 - script
@@ -1881,9 +1874,6 @@ files:
 - spec/views/admin
 - spec/views/admin/configurations
 - spec/views/admin/configurations/index.html.erb_spec.rb
-- spec/views/admin/mail_settings
-- spec/views/admin/products
-- spec/views/admin/variants
 - test
 - test/factories
 - test/factories/address_factory.rb
@@ -2454,12 +2444,6 @@ files:
 - vendor/plugins/has_calculator/lib
 - vendor/plugins/has_calculator/lib/has_calculator.rb
 - vendor/plugins/has_calculator/README
-- vendor/plugins/has_many_polymorphs
-- vendor/plugins/has_many_polymorphs/test
-- vendor/plugins/has_many_polymorphs/test/integration
-- vendor/plugins/has_many_polymorphs/test/integration/app
-- vendor/plugins/has_many_polymorphs/test/integration/app/vendor
-- vendor/plugins/has_many_polymorphs/test/integration/app/vendor/plugins
 - vendor/plugins/in_place_editing
 - vendor/plugins/in_place_editing/init.rb
 - vendor/plugins/in_place_editing/lib
@@ -2675,8 +2659,6 @@ rdoc_options:
 - --exclude
 - log
 - --exclude
-- pkg
-- --exclude
 - public
 - --exclude
 - script