spree_api 5.4.0.rc3 → 5.4.0.rc4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 314545a7037d2f446a6d764b8d130a6ba14c89cfdb82c380132595f74aa62435
-  data.tar.gz: 5976dd28153ffc543f658ca56fab3a2d97cefb162ec25481e192deb599743939
+  metadata.gz: 6509e525568a3b8ea64e7f0f798f4aa97269c1f050d8df3f8a0674fc53001935
+  data.tar.gz: 38bb74377c55de6b865eb28a1014fce6e5744714f44e8bf9484403e92d935044
 SHA512:
-  metadata.gz: 6856dc5fbe6411874444f3bc9ea16b4047ab11470d85b625daca9e054bc6289a37ac023a1fa899a6e9199aebfe1e6a2b1b4f3716611d34bc80ad829e0c57cf04
-  data.tar.gz: ab453e9b05648c4ce61feca5febcaf815d898b17f098696b27dff28d006d015130987d9d8233532b5b74d4fb5c31f6e3f7d12ca4fac10d6ac070bfbb5a4f384b
+  metadata.gz: d748f15cd7c17a7c1bf1f9bc0bec2b22e4326c8a5088ab6989e5904ea2c315f0dad52035f6407a2995728e35ce2cf2b1adfb35f48a025d13007e658f4ee16ad1
+  data.tar.gz: c0c909f704cbdd2088b15fde911e7ceb4b919ea233c2145406bdac76e2e615046cd2b82a54c0992a4bdb518930123cd3e9c5b2a2fb4eb31d05bf98232a177cb7

data/app/services/spree/api/v3/filters_aggregator.rb

@@ -2,13 +2,17 @@ module Spree
   module Api
     module V3
       class FiltersAggregator
-        # @param scope [ActiveRecord::Relation] Base product scope (already filtered by store, availability, category, etc.)
+        # @param scope [ActiveRecord::Relation] Base product scope (fully filtered, including option values)
         # @param currency [String] Currency for price range
         # @param category [Spree::Category, nil] Optional category for default_sort and category filtering context
-        def initialize(scope:, currency:, category: nil)
+        # @param option_value_ids [Array<String>] Currently selected option value prefixed IDs (for disjunctive facet counts)
+        # @param scope_before_options [ActiveRecord::Relation] Scope before option value filters (for disjunctive counts)
+        def initialize(scope:, currency:, category: nil, option_value_ids: [], scope_before_options: nil)
           @scope = scope
           @currency = currency
           @category = category
+          @option_value_ids = option_value_ids
+          @scope_before_options = scope_before_options || scope
         end
 
         def call
@@ -78,25 +82,26 @@ module Spree
 
         def option_type_filters
           Spree::OptionType.filterable.includes(:option_values).order(:position).filter_map do |option_type|
-            values = option_type.option_values.for_products(@scope).distinct.order(:position)
+            # Disjunctive: count against scope WITHOUT this option type's filter
+            count_scope = disjunctive_scope_for(option_type)
+            values = option_type.option_values.for_products(count_scope).distinct.order(:position)
             next if values.empty?
 
+            count_ids = count_scope.reorder('').distinct.pluck(:id)
+
             {
               id: option_type.prefixed_id,
               type: 'option',
               name: option_type.name,
               label: option_type.label,
-              options: values.map { |ov| option_value_data(option_type, ov) }
+              options: values.map { |ov| option_value_data(count_ids, ov) }
             }
           end
         end
 
-        def option_value_data(option_type, option_value)
-          # Count products in scope that have this option value
-          # We use a subquery approach to avoid GROUP BY conflicts when scope includes joins (like in_category)
-          # Join directly to option_value_variants for efficiency (skips joining through option_values table)
+        def option_value_data(product_ids, option_value)
           count = Spree::Product
-            .where(id: base_scope_product_ids)
+            .where(id: product_ids)
             .joins(:option_value_variants)
             .where(Spree::OptionValueVariant.table_name => { option_value_id: option_value.id })
             .distinct
@@ -111,8 +116,38 @@ module Spree
           }
         end
 
-        def base_scope_product_ids
-          @base_scope_product_ids ||= @scope.reorder('').distinct.pluck(:id)
+        # Returns the scope with all option type filters EXCEPT the given one applied.
+        # This gives disjunctive counts: selecting Blue still shows Red's true count.
+        def disjunctive_scope_for(option_type)
+          return @scope_before_options if grouped_selected_options.empty?
+
+          other_groups = grouped_selected_options.except(option_type.id)
+
+          # If this type has selections but no other types do, use scope before any option filters
+          return @scope_before_options if other_groups.empty?
+
+          # Rebuild: start from scope before options, apply only other option types
+          scope = @scope_before_options
+          other_groups.each_value do |ov_ids|
+            matching = Spree::Variant.where(deleted_at: nil)
+                                     .joins(:option_value_variants)
+                                     .where(Spree::OptionValueVariant.table_name => { option_value_id: ov_ids })
+                                     .select(:product_id)
+            scope = scope.where(id: matching)
+          end
+          scope
+        end
+
+        # Group selected option value IDs by option type (cached, single query)
+        def grouped_selected_options
+          @grouped_selected_options ||= begin
+            return {} if @option_value_ids.blank?
+
+            decoded = @option_value_ids.filter_map { |id| Spree::OptionValue.decode_prefixed_id(id) }
+            return {} if decoded.empty?
+
+            Spree::OptionValue.where(id: decoded).group_by(&:option_type_id).transform_values { |ovs| ovs.map(&:id) }
+          end
         end
 
         def category_filter

data/app/services/spree/webhooks/deliver_webhook.rb

@@ -49,22 +49,31 @@ module Spree
       private
 
       def make_request
-        SsrfFilter.post(
-          @delivery.url,
-          headers: {
-            'Content-Type' => 'application/json',
-            'User-Agent' => 'Spree-Webhooks/1.0',
-            'X-Spree-Webhook-Signature' => generate_signature,
-            'X-Spree-Webhook-Timestamp' => webhook_timestamp.to_s,
-            'X-Spree-Webhook-Event' => @delivery.event_name
-          },
-          body: @delivery.payload.to_json,
-          http_options: {
-            open_timeout: TIMEOUT,
-            read_timeout: TIMEOUT,
-            verify_mode: ssl_verify_mode
-          }
-        )
+        headers = {
+          'Content-Type' => 'application/json',
+          'User-Agent' => 'Spree-Webhooks/1.0',
+          'X-Spree-Webhook-Signature' => generate_signature,
+          'X-Spree-Webhook-Timestamp' => webhook_timestamp.to_s,
+          'X-Spree-Webhook-Event' => @delivery.event_name
+        }
+        body = @delivery.payload.to_json
+        http_options = { open_timeout: TIMEOUT, read_timeout: TIMEOUT, verify_mode: ssl_verify_mode }
+
+        # SSRF protection is disabled in development so webhooks can reach
+        # localhost / host.docker.internal (the storefront running on the host).
+        if Rails.env.development?
+          uri = URI.parse(@delivery.url)
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == 'https'
+          http_options.each { |k, v| http.send(:"#{k}=", v) }
+
+          request = Net::HTTP::Post.new(uri.request_uri)
+          headers.each { |k, v| request[k] = v }
+          request.body = body
+          http.request(request)
+        else
+          SsrfFilter.post(@delivery.url, headers: headers, body: body, http_options: http_options)
+        end
       end
 
       def generate_signature

data/app/subscribers/spree/webhook_event_subscriber.rb

@@ -21,13 +21,15 @@ module Spree
       return unless Spree::Api::Config.webhooks_enabled
       return if event.store_id.blank?
 
-      # Find all active endpoints for this store subscribed to this event
-      endpoints = Spree::WebhookEndpoint.active.where(store_id: event.store_id).select { |endpoint| endpoint.subscribed_to?(event.name) }
+      # Only load the columns we need for matching and delivery
+      endpoints = Spree::WebhookEndpoint
+        .enabled
+        .where(store_id: event.store_id)
+        .select(:id, :subscriptions)
 
-      return if endpoints.empty?
-
-      # Queue delivery for each endpoint
       endpoints.each do |endpoint|
+        next unless endpoint.subscribed_to?(event.name)
+
         queue_delivery(endpoint, event)
       end
     rescue StandardError => e
@@ -38,17 +40,25 @@ module Spree
     private
 
     def queue_delivery(endpoint, event)
-      # Build base payload (without delivery ID)
       payload = build_payload(event)
 
-      # Create delivery record
+      # Deduplicate: skip if we already have a delivery for this event + endpoint
+      if event.id.present?
+        return if Spree::WebhookDelivery.exists?(
+          webhook_endpoint_id: endpoint.id,
+          event_id: event.id
+        )
+      end
+
       delivery = endpoint.webhook_deliveries.create!(
         event_name: event.name,
+        event_id: event.id,
         payload: payload
       )
 
-      # Queue the delivery job
       Spree::WebhookDeliveryJob.perform_later(delivery.id)
+    rescue ActiveRecord::RecordNotUnique
+      # Race condition: another thread already created this delivery — safe to ignore
     rescue StandardError => e
       Rails.logger.error "[Spree Webhooks] Error queuing delivery for endpoint #{endpoint.id}: #{e.message}"
       Rails.error.report(e)

data/config/routes.rb

@@ -27,9 +27,7 @@ Spree::Core::Engine.add_routes do
             get :filters, to: 'products/filters#index'
           end
         end
-        resources :categories, only: [:index, :show], id: /.+/ do
-          resources :products, only: [:index], controller: 'categories/products'
-        end
+        resources :categories, only: [:index, :show], id: /.+/
 
         # Carts
         resources :carts, only: [:index, :show, :create, :update, :destroy] do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_api
 version: !ruby/object:Gem::Version
-  version: 5.4.0.rc3
+  version: 5.4.0.rc4
 platform: ruby
 authors:
 - Vendo Connect Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-25 00:00:00.000000000 Z
+date: 2026-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rswag-specs
@@ -72,28 +72,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.0
+        version: 0.11.0
 - !ruby/object:Gem::Dependency
   name: spree_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.4.0.rc3
+        version: 5.4.0.rc4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.4.0.rc3
+        version: 5.4.0.rc4
 description: Spree's API
 email:
 - hello@spreecommerce.org
@@ -129,7 +129,6 @@ files:
 - app/controllers/spree/api/v3/store/carts/payments_controller.rb
 - app/controllers/spree/api/v3/store/carts/store_credits_controller.rb
 - app/controllers/spree/api/v3/store/carts_controller.rb
-- app/controllers/spree/api/v3/store/categories/products_controller.rb
 - app/controllers/spree/api/v3/store/categories_controller.rb
 - app/controllers/spree/api/v3/store/countries_controller.rb
 - app/controllers/spree/api/v3/store/currencies_controller.rb
@@ -274,9 +273,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.rc3
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.rc4
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.rc3
+  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.rc4
 post_install_message:
 rdoc_options: []
 require_paths:

data/app/controllers/spree/api/v3/store/categories/products_controller.rb

@@ -1,37 +0,0 @@
-module Spree
-  module Api
-    module V3
-      module Store
-        module Categories
-          class ProductsController < Store::ProductsController
-            before_action :set_category
-
-            protected
-
-            def set_category
-              @category = find_category
-            end
-
-            def scope
-              super.in_category(@category)
-            end
-
-            private
-
-            def find_category
-              id = params[:category_id]
-              category_scope = Spree::Category.for_store(current_store).accessible_by(current_ability, :show)
-              category_scope = category_scope.i18n if Spree::Category.include?(Spree::TranslatableResource)
-
-              if id.to_s.start_with?('ctg_')
-                category_scope.find_by_prefix_id!(id)
-              else
-                find_with_fallback_default_locale { category_scope.i18n.find_by!(permalink: id) }
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end