RubyGems - spree_admin - Versions diffs - 5.5.0.rc1 → 5.5.0.rc2 - Mend

spree_admin 5.5.0.rc1 → 5.5.0.rc2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f4bbbb1dd33ca70b641c0c4c687f4a8a36731ec816c3324930b44139d911bd6
-  data.tar.gz: d402abe10df4c9fe520db4f9b97fb17e33172238ff7e58b14f71b2754a9c09a5
+  metadata.gz: cf50ce30e9bb9efb5d77bfc984d87f921c997520125e78b375c375d391999aec
+  data.tar.gz: 8bbc5de5e700786db47adc040e6e048901503bb9572d382302336d33a7531866
 SHA512:
-  metadata.gz: 9931e85d7ade12bc71fd556f9014cb410ad03e205eedc6ba4c1bc03d3e5d38a32ddabd7a5b34114fe0cb1b58059d7b6ce36907c3515a866812609c9911989517
-  data.tar.gz: 8f9090d2f5d25c761f4f3ce74701fabd179b9947c21ce23ab64362ac67363ce77b63c624136a35bb02b2897d60fe72e716ac4e8539fdc032f5bc7c7cdbcab12c
+  metadata.gz: 3dd8c8013f072e443fb99b2c70450f005904f0d738870dcf6182e4edd39810fb462e6869eea08cc0ebc235d2d55895750469eaff710b4958fd86880952108aff
+  data.tar.gz: d032bec7f6a7f7eee57054a1b4af6e36e19fca1b80ef276c9a95eb71d6451151c629e05446426893cf1fae120b52a97e9863eafc2644ef2b1a2ac65475030d59

data/app/controllers/concerns/spree/admin/auth_rate_limiting.rb ADDED Viewed

@@ -0,0 +1,58 @@
+module Spree
+  module Admin
+    module AuthRateLimiting
+      extend ActiveSupport::Concern
+      class_methods do
+        # @param limit_preference [Symbol] e.g. :rate_limit_login / :rate_limit_password_reset
+        # @param redirect_to [Proc] evaluated in controller context to the path to bounce
+        #   back to when rate limited, e.g. `-> { new_session_path(resource_name) }`.
+        # @return [void]
+        def auth_rate_limit(limit_preference, redirect_to:)
+          limit  = Spree::Admin::RuntimeConfig[limit_preference] || 5
+          window = (Spree::Admin::RuntimeConfig[:rate_limit_window] || 60).seconds
+          prefix = limit_preference.to_s # unique namespace per controller/action
+          # By IP — always present; backstops blank-email floods.
+          rate_limit(
+            to: limit,
+            within: window,
+            by: -> { "#{prefix}-ip:#{request.remote_ip}" },
+            with: -> { admin_auth_rate_limit_response(redirect_to) },
+            store: Rails.cache,
+            only: :create
+          )
+          # By submitted email (case-insensitive). Falls back to per-IP bucketing when
+          # the email is blank, so blank submissions don't all share one global bucket.
+          rate_limit(
+            to: limit,
+            within: window,
+            by: lambda {
+              email = admin_auth_rate_limit_email
+              email.present? ? "#{prefix}-email:#{email}" : "#{prefix}-email-ip:#{request.remote_ip}"
+            },
+            with: -> { admin_auth_rate_limit_response(redirect_to) },
+            store: Rails.cache,
+            only: :create
+          )
+        end
+      end
+      private
+      # Email is read via Devise's `resource_params` so it works regardless of the
+      # configured admin user class / resource param key.
+      def admin_auth_rate_limit_email
+        resource_params[:email].to_s.strip.downcase.presence
+      rescue StandardError
+        nil
+      end
+      def admin_auth_rate_limit_response(redirect_path)
+        flash[:alert] = I18n.t('devise.failure.too_many_attempts')
+        redirect_to instance_exec(&redirect_path)
+      end
+    end
+  end
+end

data/app/controllers/spree/admin/user_passwords_controller.rb CHANGED Viewed

@@ -1,8 +1,12 @@
 module Spree
   module Admin
     class UserPasswordsController < defined?(Devise::PasswordsController) ? Devise::PasswordsController : Spree::Admin::BaseController
+      include Spree::Admin::AuthRateLimiting
       layout 'spree/minimal'
+      auth_rate_limit :rate_limit_password_reset, redirect_to: -> { new_password_path(resource_name) }
       def create
         self.resource = resource_class.send_reset_password_instructions(resource_params)
         yield resource if block_given?

data/app/controllers/spree/admin/user_sessions_controller.rb CHANGED Viewed

@@ -1,8 +1,12 @@
 module Spree
   module Admin
     class UserSessionsController < defined?(Devise::SessionsController) ? Devise::SessionsController : Spree::Admin::BaseController
+      include Spree::Admin::AuthRateLimiting
       layout 'spree/minimal'
+      auth_rate_limit :rate_limit_login, redirect_to: -> { new_session_path(resource_name) }
       # We need to overwrite this action because `return_to` url may be in a different domain
       # So we need to pass `allow_other_host` option to `redirect_to` method
       def create

data/app/views/spree/admin/product_translations/index.html.erb CHANGED Viewed

@@ -101,7 +101,7 @@
           <%= render 'spree/admin/shared/index_table_options', collection: @products %>
         </div>
       <% else %>
-        <%= render 'spree/admin/shared/no_resource_found', new_object_url: nil %>
+        <%= render 'spree/admin/shared/no_resource_found', new_object_url: nil, model_class: Spree::Product %>
       <% end %>
     </div>
   </div>

data/lib/spree/admin/runtime_configuration.rb CHANGED Viewed

@@ -17,6 +17,11 @@ module Spree
       preference :legacy_sidebar_navigation, :boolean, default: false
       preference :reports_line_items_limit, :integer, default: 1000
+      # Brute-force rate limiting for the admin dashboard auth endpoints (login / password reset).
+      preference :rate_limit_window, :integer, default: 60 # window in seconds
+      preference :rate_limit_login, :integer, default: 5 # per IP and per email
+      preference :rate_limit_password_reset, :integer, default: 3 # per IP and per email
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_admin
 version: !ruby/object:Gem::Version
-  version: 5.5.0.rc1
+  version: 5.5.0.rc2
 platform: ruby
 authors:
 - Vendo Connect Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-06-10 00:00:00.000000000 Z
+date: 2026-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: spree
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.5.0.rc1
+        version: 5.5.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.5.0.rc1
+        version: 5.5.0.rc2
 - !ruby/object:Gem::Dependency
   name: active_link_to
   requirement: !ruby/object:Gem::Requirement
@@ -284,6 +284,7 @@ files:
 - app/assets/tailwind/spree/admin/views/_dashboard.css
 - app/assets/tailwind/spree/admin/views/_page-builder.css
 - app/controllers/concerns/spree/admin/analytics_concern.rb
+- app/controllers/concerns/spree/admin/auth_rate_limiting.rb
 - app/controllers/concerns/spree/admin/breadcrumb_concern.rb
 - app/controllers/concerns/spree/admin/bulk_operations_concern.rb
 - app/controllers/concerns/spree/admin/order_breadcrumb_concern.rb
@@ -1171,9 +1172,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.5.0.rc1
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.5.0.rc2
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.5.0.rc1
+  source_code_uri: https://github.com/spree/spree/tree/v5.5.0.rc2
 post_install_message:
 rdoc_options: []
 require_paths: