spree_auth_devise 4.3.3 → 4.4.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +165 -29
- data/.github/dependabot.yml +11 -0
- data/.travis.yml +1 -11
- data/Gemfile +6 -2
- data/README.md +1 -2
- data/app/mailers/spree/user_mailer.rb +3 -3
- data/app/models/spree/user.rb +3 -0
- data/config/routes.rb +33 -29
- data/db/migrate/20210728103922_change_type_of_ship_address_id_and_bill_address_id_for_spree_users.rb +8 -0
- data/lib/controllers/backend/spree/admin/user_passwords_controller.rb +5 -4
- data/lib/controllers/backend/spree/admin/user_sessions_controller.rb +2 -3
- data/{app/controllers → lib/controllers/frontend}/spree/user_confirmations_controller.rb +9 -6
- data/{app/controllers → lib/controllers/frontend}/spree/user_passwords_controller.rb +8 -9
- data/{app/controllers → lib/controllers/frontend}/spree/user_registrations_controller.rb +8 -9
- data/{app/controllers → lib/controllers/frontend}/spree/user_sessions_controller.rb +11 -12
- data/lib/controllers/frontend/spree/users_controller.rb +8 -3
- data/lib/spree/auth/version.rb +1 -1
- data/lib/spree/testing_support/auth_helpers.rb +18 -10
- data/lib/views/backend/spree/admin/user_passwords/edit.html.erb +12 -11
- data/lib/views/backend/spree/admin/user_passwords/new.html.erb +9 -11
- data/lib/views/backend/spree/admin/user_sessions/new.html.erb +4 -4
- data/{app/views → lib/views/frontend}/spree/user_passwords/edit.html.erb +0 -0
- data/{app/views → lib/views/frontend}/spree/user_passwords/new.html.erb +0 -0
- data/{app/views → lib/views/frontend}/spree/user_registrations/new.html.erb +0 -0
- data/{app/views → lib/views/frontend}/spree/user_sessions/new.html.erb +0 -0
- data/spec/controllers/spree/user_sessions_controller_spec.rb +13 -1
- data/spec/controllers/spree/users_controller_spec.rb +1 -1
- data/spec/features/account_spec.rb +2 -2
- data/spec/features/admin/orders_spec.rb +4 -2
- data/spec/features/admin/password_reset_spec.rb +1 -1
- data/spec/features/admin/sign_in_spec.rb +5 -5
- data/spec/features/admin/sign_out_spec.rb +5 -5
- data/spec/features/admin_permissions_spec.rb +1 -1
- data/spec/features/checkout_spec.rb +1 -1
- data/spec/features/order_spec.rb +2 -2
- data/spec/features/sign_in_spec.rb +29 -7
- data/spec/features/sign_out_spec.rb +2 -2
- data/spec/models/user_spec.rb +27 -0
- data/spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb +0 -9
- data/spec/requests/spree/frontend/user_update_spec.rb +42 -0
- data/spec/spec_helper.rb +4 -0
- data/spec/support/confirm_helpers.rb +1 -0
- data/spree_auth_devise.gemspec +1 -1
- metadata +19 -27
- data/Appraisals +0 -9
- data/app/services/spree/account/create.rb +0 -19
- data/app/services/spree/account/update.rb +0 -17
- data/gemfiles/spree_4_1.gemfile +0 -8
- data/gemfiles/spree_master.gemfile +0 -8
- data/lib/controllers/api/spree/api/v2/storefront/account_controller_decorator.rb +0 -41
@@ -1,34 +1,42 @@
|
|
1
1
|
module Spree
|
2
2
|
module TestingSupport
|
3
3
|
module AuthHelpers
|
4
|
-
def
|
5
|
-
|
4
|
+
def login_button
|
5
|
+
Spree.version.to_f == 4.1 ? Spree.t(:log_in) : Spree.t(:login)
|
6
|
+
end
|
7
|
+
|
8
|
+
def logout_button
|
9
|
+
Spree.version.to_f == 4.1 ? Spree.t('nav_bar.log_out') : Spree.t(:logout).upcase
|
10
|
+
end
|
11
|
+
|
12
|
+
def log_in(email:, password:, remember_me: true, locale: nil)
|
13
|
+
visit spree.login_path(locale: locale)
|
6
14
|
|
7
|
-
fill_in
|
8
|
-
fill_in
|
15
|
+
fill_in Spree.t(:email), with: email
|
16
|
+
fill_in Spree.t(:password), with: password
|
9
17
|
|
10
18
|
# Regression test for #1257
|
11
|
-
first('label', text:
|
12
|
-
click_button
|
19
|
+
first('label', text: Spree.t(:remember_me)).click if remember_me
|
20
|
+
click_button login_button
|
13
21
|
|
14
|
-
expect(page).to have_content
|
22
|
+
expect(page).to have_content Spree.t(:logged_in_successfully)
|
15
23
|
end
|
16
24
|
|
17
25
|
def log_out
|
18
26
|
show_user_menu
|
19
|
-
click_link
|
27
|
+
click_link logout_button
|
20
28
|
|
21
29
|
expect(page).to have_content 'Signed out successfully'
|
22
30
|
end
|
23
31
|
|
24
32
|
def show_user_menu
|
25
|
-
find("button[aria-label='
|
33
|
+
find("button[aria-label='#{Spree.t('nav_bar.show_user_menu')}']").click
|
26
34
|
end
|
27
35
|
|
28
36
|
def show_user_account
|
29
37
|
within '#nav-bar' do
|
30
38
|
show_user_menu
|
31
|
-
click_link
|
39
|
+
click_link Spree.t(:my_account).upcase
|
32
40
|
end
|
33
41
|
end
|
34
42
|
end
|
@@ -1,15 +1,16 @@
|
|
1
|
-
<%= render :
|
1
|
+
<%= render partial: 'spree/admin/shared/error_messages', locals: { target: @spree_user } %>
|
2
|
+
|
2
3
|
<h2><%= Spree.t(:change_my_password) %></h2>
|
3
4
|
|
4
|
-
<%= form_for @spree_user, :
|
5
|
-
<
|
6
|
-
<%= f.label :password, Spree.t(:password)
|
7
|
-
<%= f.password_field :password
|
8
|
-
</
|
9
|
-
<
|
10
|
-
<%= f.label :password_confirmation, Spree.t(:confirm_password)
|
11
|
-
<%= f.password_field :password_confirmation
|
12
|
-
</
|
5
|
+
<%= form_for @spree_user, as: :spree_user, url: spree.admin_update_password_path, method: :put do |f| %>
|
6
|
+
<div class="form-group">
|
7
|
+
<%= f.label :password, Spree.t(:password) %>
|
8
|
+
<%= f.password_field :password, class: 'form-control', required: true %>
|
9
|
+
</div>
|
10
|
+
<div class="form-group">
|
11
|
+
<%= f.label :password_confirmation, Spree.t(:confirm_password) %>
|
12
|
+
<%= f.password_field :password_confirmation, class: 'form-control', required: true %>
|
13
|
+
</div>
|
13
14
|
<%= f.hidden_field :reset_password_token %>
|
14
|
-
<%= f.submit Spree.t(:update), :
|
15
|
+
<%= f.submit Spree.t(:update), class: 'btn btn-primary btn-block' %>
|
15
16
|
<% end %>
|
@@ -1,17 +1,15 @@
|
|
1
|
-
<%= render :
|
1
|
+
<%= render partial: 'spree/admin/shared/error_messages', locals: { target: @spree_user } %>
|
2
2
|
|
3
|
-
<div id="forgot-password">
|
4
|
-
<
|
3
|
+
<div id="forgot-password" class="col-lg-6">
|
4
|
+
<h1><%= Spree.t(:forgot_password) %></h1>
|
5
5
|
|
6
6
|
<p><%= Spree.t(:instructions_to_reset_password) %></p>
|
7
7
|
|
8
|
-
<%= form_for Spree.user_class.new, :as => :spree_user, :url => spree.
|
9
|
-
<
|
10
|
-
<%= f.label :email, Spree.t(:email)
|
11
|
-
<%= f.email_field :email %>
|
12
|
-
</
|
13
|
-
|
14
|
-
<%= f.submit Spree.t(:reset_password), :class => 'button primary' %>
|
15
|
-
</p>
|
8
|
+
<%= form_for Spree.user_class.new, :as => :spree_user, :url => spree.admin_reset_password_path, data: { turbo: false } do |f| %>
|
9
|
+
<div class="form-group">
|
10
|
+
<%= f.label :email, Spree.t(:email) %>
|
11
|
+
<%= f.email_field :email, class: 'form-control', required: true %>
|
12
|
+
</div>
|
13
|
+
<%= f.submit Spree.t(:reset_password), class: 'btn btn-primary' %>
|
16
14
|
<% end %>
|
17
15
|
</div>
|
@@ -8,7 +8,7 @@
|
|
8
8
|
<div id="password-credentials">
|
9
9
|
<div class="form-group text-center">
|
10
10
|
<%= f.label :email, Spree.t(:email) %>
|
11
|
-
<%= f.email_field :email, class: 'form-control', tabindex: 1, placeholder: Spree.t(:email) %>
|
11
|
+
<%= f.email_field :email, class: 'form-control', tabindex: 1, placeholder: Spree.t(:email) %>
|
12
12
|
</div>
|
13
13
|
<div class="form-group text-center">
|
14
14
|
<%= f.label :password, Spree.t(:password) %>
|
@@ -21,12 +21,12 @@
|
|
21
21
|
<%= f.label :remember_me do %>
|
22
22
|
<%= f.check_box :remember_me, :tabindex => 3 %>
|
23
23
|
<%= Spree.t(:remember_me) %>
|
24
|
-
<% end %>
|
24
|
+
<% end %>
|
25
25
|
</div>
|
26
26
|
<div class="col-lg-6 text-right">
|
27
27
|
<%= link_to Spree.t(:forgot_password), spree.admin_recover_password_path %>
|
28
|
-
</div>
|
29
|
-
</div>
|
28
|
+
</div>
|
29
|
+
</div>
|
30
30
|
</div>
|
31
31
|
<div class="form-group">
|
32
32
|
<%= f.submit Spree.t(:login), :class => 'btn btn-primary btn-block', :tabindex => 4 %>
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -137,7 +137,7 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
|
|
137
137
|
request.cookie_jar.signed[:guest_token] = 'ABC'
|
138
138
|
request.cookie_jar.signed[:token] = 'DEF'
|
139
139
|
end
|
140
|
-
|
140
|
+
|
141
141
|
it 'assigns the correct token attribute for the order' do
|
142
142
|
if Spree.version.to_f > 3.6
|
143
143
|
order = create(:order, email: user.email, token: 'ABC', user_id: nil, created_by_id: nil)
|
@@ -157,6 +157,18 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
|
|
157
157
|
post :create, params: { spree_user: { email: user.email, password: 'secret' }}
|
158
158
|
expect(response).to redirect_to spree.account_path
|
159
159
|
end
|
160
|
+
|
161
|
+
context 'different locale' do
|
162
|
+
before do
|
163
|
+
Spree::Store.default.update(default_locale: 'en', supported_locales: 'en,fr') if Spree.version.to_f >= 4.2
|
164
|
+
end
|
165
|
+
|
166
|
+
it 'redirects to localized account path after signing in' do
|
167
|
+
skip if Spree.version.to_f < 4.2
|
168
|
+
post :create, params: { spree_user: { email: user.email, password: 'secret' }, locale: 'fr' }
|
169
|
+
expect(response).to redirect_to spree.account_path(locale: 'fr')
|
170
|
+
end
|
171
|
+
end
|
160
172
|
end
|
161
173
|
|
162
174
|
context "and js format is used" do
|
@@ -25,7 +25,7 @@ RSpec.describe Spree::UsersController, type: :controller do
|
|
25
25
|
it 'performs update' do
|
26
26
|
put :update, params: { user: { email: 'mynew@email-address.com' } }
|
27
27
|
expect(assigns[:user].email).to eq 'mynew@email-address.com'
|
28
|
-
expect(response).to redirect_to spree.
|
28
|
+
expect(response).to redirect_to spree.account_path
|
29
29
|
end
|
30
30
|
end
|
31
31
|
|
@@ -10,7 +10,7 @@ RSpec.feature 'Accounts', type: :feature do
|
|
10
10
|
|
11
11
|
fill_in 'Email', with: user.email
|
12
12
|
fill_in 'Password', with: user.password
|
13
|
-
click_button
|
13
|
+
click_button login_button
|
14
14
|
|
15
15
|
show_user_account
|
16
16
|
expect(page).to have_text 'admin@person.com'
|
@@ -43,7 +43,7 @@ RSpec.feature 'Accounts', type: :feature do
|
|
43
43
|
|
44
44
|
fill_in 'Email', with: user.email
|
45
45
|
fill_in 'Password', with: user.password
|
46
|
-
click_button
|
46
|
+
click_button login_button
|
47
47
|
|
48
48
|
show_user_account
|
49
49
|
expect(page).to have_text 'email@person.com'
|
@@ -1,6 +1,7 @@
|
|
1
1
|
RSpec.feature 'Admin orders', type: :feature do
|
2
2
|
background do
|
3
|
-
|
3
|
+
user = create(:admin_user)
|
4
|
+
log_in email: user.email, password: user.password
|
4
5
|
end
|
5
6
|
|
6
7
|
# Regression #203
|
@@ -15,7 +16,8 @@ RSpec.feature 'Admin orders', type: :feature do
|
|
15
16
|
|
16
17
|
# Regression #203
|
17
18
|
scenario 'can not edit orders' do
|
18
|
-
|
19
|
+
visit spree.edit_admin_order_path('nodata')
|
20
|
+
expect(page).to have_text('Order is not found')
|
19
21
|
end
|
20
22
|
|
21
23
|
# Regression #203
|
@@ -7,7 +7,7 @@ RSpec.feature 'Admin - Reset Password', type: :feature do
|
|
7
7
|
user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
|
8
8
|
visit spree.admin_login_path
|
9
9
|
click_link 'Forgot password?'
|
10
|
-
fill_in 'Email', with:
|
10
|
+
fill_in 'Email', with: user.email
|
11
11
|
click_button 'Reset my password'
|
12
12
|
expect(page).to have_text 'You will receive an email with instructions'
|
13
13
|
end
|
@@ -13,8 +13,8 @@ RSpec.feature 'Admin - Sign In', type: :feature do
|
|
13
13
|
log_in(email: @user.email, password: 'secret')
|
14
14
|
show_user_menu
|
15
15
|
|
16
|
-
expect(page).not_to have_text
|
17
|
-
expect(page).to have_text
|
16
|
+
expect(page).not_to have_text login_button.upcase
|
17
|
+
expect(page).to have_text logout_button.upcase
|
18
18
|
expect(current_path).to eq '/account'
|
19
19
|
end
|
20
20
|
|
@@ -33,13 +33,13 @@ RSpec.feature 'Admin - Sign In', type: :feature do
|
|
33
33
|
|
34
34
|
fill_in 'Email', with: user.email
|
35
35
|
fill_in 'Password', with: 'secret'
|
36
|
+
click_button login_button
|
37
|
+
|
36
38
|
if Spree.version.to_f > 4.1
|
37
|
-
|
38
|
-
within '.navbar .dropdown-menu' do
|
39
|
+
within '.navbar .dropdown-menu-right' do
|
39
40
|
expect(page).to have_text 'admin@person.com'
|
40
41
|
end
|
41
42
|
else
|
42
|
-
click_button 'Log in'
|
43
43
|
within '.user-menu' do
|
44
44
|
expect(page).to have_text 'admin@person.com'
|
45
45
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
RSpec.feature 'Admin - Sign Out', type: :feature do
|
1
|
+
RSpec.feature 'Admin - Sign Out', type: :feature, js: true do
|
2
2
|
given!(:user) do
|
3
3
|
create :user, email: 'email@person.com'
|
4
4
|
end
|
@@ -9,13 +9,13 @@ RSpec.feature 'Admin - Sign Out', type: :feature do
|
|
9
9
|
fill_in 'Password', with: 'secret'
|
10
10
|
# Regression test for #1257
|
11
11
|
check 'Remember me'
|
12
|
-
click_button
|
12
|
+
click_button Spree.t(:login)
|
13
13
|
end
|
14
14
|
|
15
|
-
scenario 'allows a signed in user to logout'
|
15
|
+
scenario 'allows a signed in user to logout' do
|
16
16
|
log_out
|
17
17
|
visit spree.admin_login_path
|
18
|
-
expect(page).to have_button
|
19
|
-
expect(page).not_to have_text
|
18
|
+
expect(page).to have_button Spree.t(:login)
|
19
|
+
expect(page).not_to have_text Spree.t(:logout)
|
20
20
|
end
|
21
21
|
end
|
@@ -55,7 +55,7 @@ RSpec.feature 'Checkout', :js, type: :feature do
|
|
55
55
|
visit spree.login_path
|
56
56
|
fill_in 'Email', with: user.email
|
57
57
|
fill_in 'Password', with: user.password
|
58
|
-
click_button
|
58
|
+
click_button login_button
|
59
59
|
expect(page).to have_text('Logged in successfully')
|
60
60
|
find('a.cart-icon').click
|
61
61
|
|
data/spec/features/order_spec.rb
CHANGED
@@ -17,7 +17,7 @@ RSpec.feature 'Orders', :js, type: :feature do
|
|
17
17
|
visit spree.login_path
|
18
18
|
fill_in 'Email', with: user.email
|
19
19
|
fill_in 'Password', with: user.password
|
20
|
-
click_button
|
20
|
+
click_button login_button
|
21
21
|
|
22
22
|
visit spree.cart_path
|
23
23
|
expect(page).to have_text 'RoR Mug'
|
@@ -29,7 +29,7 @@ RSpec.feature 'Orders', :js, type: :feature do
|
|
29
29
|
visit spree.login_path
|
30
30
|
fill_in 'Email', with: user.email
|
31
31
|
fill_in 'Password', with: user.password
|
32
|
-
click_button
|
32
|
+
click_button login_button
|
33
33
|
|
34
34
|
# Order should have been merged with first session
|
35
35
|
visit spree.cart_path
|
@@ -13,15 +13,15 @@ RSpec.feature 'Sign In', type: :feature do
|
|
13
13
|
log_in(email: @user.email, password: @user.password)
|
14
14
|
show_user_menu
|
15
15
|
|
16
|
-
expect(page).not_to have_text
|
17
|
-
expect(page).to have_text
|
16
|
+
expect(page).not_to have_text login_button.upcase
|
17
|
+
expect(page).to have_text logout_button.upcase
|
18
18
|
expect(current_path).to eq '/account'
|
19
19
|
end
|
20
20
|
|
21
21
|
scenario 'show validation erros' do
|
22
22
|
fill_in 'Email', with: @user.email
|
23
23
|
fill_in 'Password', with: 'wrong_password'
|
24
|
-
click_button
|
24
|
+
click_button login_button
|
25
25
|
|
26
26
|
expect(page).to have_text 'Invalid email or password'
|
27
27
|
expect(page).to have_text 'Log in'
|
@@ -35,12 +35,12 @@ RSpec.feature 'Sign In', type: :feature do
|
|
35
35
|
fill_in 'Password', with: user.password
|
36
36
|
|
37
37
|
if Spree.version.to_f > 4.1
|
38
|
-
click_button
|
39
|
-
within '.navbar .dropdown-menu' do
|
38
|
+
click_button login_button
|
39
|
+
within '.navbar .dropdown-menu-right' do
|
40
40
|
expect(page).to have_text 'admin@person.com'
|
41
41
|
end
|
42
42
|
else
|
43
|
-
click_button
|
43
|
+
click_button login_button
|
44
44
|
within '.user-menu' do
|
45
45
|
expect(page).to have_text 'admin@person.com'
|
46
46
|
end
|
@@ -52,7 +52,29 @@ RSpec.feature 'Sign In', type: :feature do
|
|
52
52
|
visit spree.account_path
|
53
53
|
fill_in 'Email', with: @user.email
|
54
54
|
fill_in 'Password', with: @user.password
|
55
|
-
click_button
|
55
|
+
click_button login_button
|
56
56
|
expect(current_path).to eq '/account'
|
57
57
|
end
|
58
|
+
|
59
|
+
context 'localized' do
|
60
|
+
before do
|
61
|
+
if Spree.version.to_f >= 4.2
|
62
|
+
add_french_locales
|
63
|
+
Spree::Store.default.update(default_locale: 'en', supported_locales: 'en,fr')
|
64
|
+
I18n.locale = :fr
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
after { I18n.locale = :en }
|
69
|
+
|
70
|
+
scenario 'let a user sign in successfully', js: true do
|
71
|
+
skip if Spree.version.to_f < 4.2
|
72
|
+
log_in(email: @user.email, password: @user.password, locale: 'fr')
|
73
|
+
show_user_menu
|
74
|
+
|
75
|
+
expect(page).not_to have_text Spree.t(:login).upcase
|
76
|
+
expect(page).to have_text Spree.t(:logout).upcase
|
77
|
+
expect(current_url).to match(/\/account\?locale\=fr$/)
|
78
|
+
end
|
79
|
+
end
|
58
80
|
end
|
@@ -16,8 +16,8 @@ RSpec.feature 'Sign Out', type: :feature, js: true do
|
|
16
16
|
visit spree.root_path
|
17
17
|
show_user_menu
|
18
18
|
|
19
|
-
expect(page).to have_link
|
20
|
-
expect(page).not_to have_link
|
19
|
+
expect(page).to have_link login_button.upcase
|
20
|
+
expect(page).not_to have_link logout_button.upcase
|
21
21
|
end
|
22
22
|
|
23
23
|
describe 'before_logout' do
|
data/spec/models/user_spec.rb
CHANGED
@@ -27,6 +27,33 @@ RSpec.describe Spree::User, type: :model do
|
|
27
27
|
end
|
28
28
|
end
|
29
29
|
|
30
|
+
describe 'validations' do
|
31
|
+
context 'email' do
|
32
|
+
let(:user) { build(:user, email: nil) }
|
33
|
+
|
34
|
+
it 'cannot be empty' do
|
35
|
+
expect(user.valid?).to be false
|
36
|
+
expect(user.errors.messages[:email].first).to eq "can't be blank"
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
context 'password' do
|
41
|
+
let(:user) { build(:user, password_confirmation: nil) }
|
42
|
+
|
43
|
+
it 'password confirmation cannot be empty' do
|
44
|
+
expect(user.valid?).to be false
|
45
|
+
expect(user.errors.messages[:password_confirmation].first).to eq "doesn't match Password"
|
46
|
+
end
|
47
|
+
|
48
|
+
let(:user) { build(:user, password: 'pass1234', password_confirmation: 'pass') }
|
49
|
+
|
50
|
+
it 'passwords has to be equal to password confirmation' do
|
51
|
+
expect(user.valid?).to be false
|
52
|
+
expect(user.errors.messages[:password_confirmation].first).to eq "doesn't match Password"
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
30
57
|
context '#destroy' do
|
31
58
|
it 'will soft delete with uncompleted orders' do
|
32
59
|
order = build(:order)
|
@@ -35,14 +35,5 @@ describe 'Storefront API v2 Account Confirmation spec', type: :request do
|
|
35
35
|
expect(JSON.parse(response.body)['error']).to eq("Confirmation token is invalid")
|
36
36
|
end
|
37
37
|
end
|
38
|
-
|
39
|
-
context 'blank confirmation_token param' do
|
40
|
-
let(:user) { build(:user) }
|
41
|
-
let(:confirmation_token) { '' }
|
42
|
-
|
43
|
-
it 'return 301 status' do
|
44
|
-
expect(response.code).to eq('301')
|
45
|
-
end
|
46
|
-
end
|
47
38
|
end
|
48
39
|
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.feature 'User update', type: :request do
|
4
|
+
context 'CSRF protection' do
|
5
|
+
%i[exception reset_session null_session].each do |strategy|
|
6
|
+
# Completely clean the configuration of forgery protection for the
|
7
|
+
# controller and reset it after the expectations. However, besides `:with`,
|
8
|
+
# the options given to `protect_from_forgery` are processed on the fly.
|
9
|
+
# I.e., there's no way to retain them. The initial setup corresponds to the
|
10
|
+
# dummy application, which uses the default Rails skeleton in that regard.
|
11
|
+
# So, if at some point Rails changed the given options, we should update it
|
12
|
+
# here.
|
13
|
+
around do |example|
|
14
|
+
controller = Spree::UsersController
|
15
|
+
old_allow_forgery_protection_value = controller.allow_forgery_protection
|
16
|
+
old_forgery_protection_strategy = controller.forgery_protection_strategy
|
17
|
+
controller.skip_forgery_protection
|
18
|
+
controller.allow_forgery_protection = true
|
19
|
+
controller.protect_from_forgery with: strategy
|
20
|
+
|
21
|
+
example.run
|
22
|
+
|
23
|
+
controller.allow_forgery_protection = old_allow_forgery_protection_value
|
24
|
+
controller.forgery_protection_strategy = old_forgery_protection_strategy
|
25
|
+
end
|
26
|
+
|
27
|
+
it "is not possible to take account over with the #{strategy} forgery protection strategy" do
|
28
|
+
user = create(:user, email: 'legit@mail.com', password: 'password')
|
29
|
+
|
30
|
+
post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
|
31
|
+
begin
|
32
|
+
put '/users/123456', params: 'user[email]=hacked@example.com'
|
33
|
+
rescue
|
34
|
+
# testing that the account is not compromised regardless of any raised
|
35
|
+
# exception
|
36
|
+
end
|
37
|
+
|
38
|
+
expect(user.reload.email).to eq('legit@mail.com')
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
data/spec/spec_helper.rb
CHANGED
@@ -9,10 +9,14 @@ require 'spree_dev_tools/rspec/spec_helper'
|
|
9
9
|
# in spec/support/ and its subdirectories.
|
10
10
|
Dir[File.join(File.dirname(__FILE__), 'support/**/*.rb')].sort.each { |f| require f }
|
11
11
|
|
12
|
+
require 'spree/testing_support/locale_helpers' if Spree.version.to_f >= 4.2
|
13
|
+
|
12
14
|
RSpec.configure do |config|
|
13
15
|
config.before(:each) do
|
14
16
|
allow(RSpec::Rails::ViewRendering::EmptyTemplateHandler)
|
15
17
|
.to receive(:call)
|
16
18
|
.and_return(%("")) if Rails.gem_version >= Gem::Version.new('6.0.0.beta1')
|
17
19
|
end
|
20
|
+
|
21
|
+
config.include Spree::TestingSupport::LocaleHelpers if defined?(Spree::TestingSupport::LocaleHelpers)
|
18
22
|
end
|
data/spree_auth_devise.gemspec
CHANGED
@@ -33,7 +33,7 @@ Gem::Specification.new do |s|
|
|
33
33
|
s.add_dependency 'devise', '~> 4.7'
|
34
34
|
s.add_dependency 'devise-encryptable', '0.2.0'
|
35
35
|
|
36
|
-
spree_version = '>= 4.
|
36
|
+
spree_version = '>= 4.3.0.rc1'
|
37
37
|
s.add_dependency 'spree_core', spree_version
|
38
38
|
s.add_dependency 'spree_extension'
|
39
39
|
|