spree_auth_devise 4.0.0 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa05d3638b5f55b4d34d7fac9d9eb3cddf96eeb473f1d08fb6fc8ca479095e93
-  data.tar.gz: 5199a26bce744922a94d8364061020c9a7e7d45c7631398a19879a780b619ed5
+  metadata.gz: 0a4c46da7628319c592ae1a9675173fd8add8ca34dbb6fd7d5ffdb92345207c2
+  data.tar.gz: e6d9d38bc3e2fa09ff21fc024193160d04f2ba89c4439d8703b6a19f058a6fcd
 SHA512:
-  metadata.gz: b773b386f23743e4097751f8e471f34f984a4e34c6f20638ae6e011605c11dbb459d56c898c7b729053b59eafb30fd8aff3f481cd6dc8dda674c71cd668ba406
-  data.tar.gz: dbf83d876e7b4a8c86b8776e56462ab4c7cc33105db55d944d920cbbc96415ce4516fb981e9105650096591b400e38f4a00fd5a9da11518b710dc04d6d8636b0
+  metadata.gz: 7f0c22c01027c613ab423d73af40ce43f02d4a14e26c76865ecd5a381943c2049366c52f2386697c4fa6a394c15d10b91da06b47d563a6f0081e897e948f77a5
+  data.tar.gz: 235a7977bb12281f9c3a0f00c0b99b59f7ee63d609b34e413ab530b1e2fde43384bc82e0dce91b784abf8f3518ae72a61d022916ceaa110394466e1aff854f39

data/lib/controllers/frontend/spree/users_controller.rb

@@ -1,11 +1,11 @@
 class Spree::UsersController < Spree::StoreController
-  skip_before_action :set_current_order, only: :show
-  prepend_before_action :load_object, only: [:show, :edit, :update]
+skip_before_action :set_current_order, only: :show
   prepend_before_action :authorize_actions, only: :new
 
   include Spree::Core::ControllerHelpers
 
   def show
+    load_object
     @orders = @user.orders.complete.order('completed_at desc')
   end
 
@@ -23,7 +23,12 @@ class Spree::UsersController < Spree::StoreController
     end
   end
 
+  def edit
+    load_object
+  end
+
   def update
+    load_object
     if @user.update(user_params)
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes

data/spec/requests/spree/frontend/user_update_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+
+        example.run
+
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

data/spree_auth_devise.gemspec

@@ -3,7 +3,7 @@
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = 'spree_auth_devise'
-  s.version     = '4.0.0'
+  s.version     = '4.0.1'
   s.summary     = 'Provides authentication and authorization services for use with Spree by using Devise and CanCan.'
   s.description = s.summary
 
@@ -22,7 +22,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'devise', '~> 4.7'
   s.add_dependency 'devise-encryptable', '0.2.0'
 
-  spree_version = '>= 3.1.0', '< 5.0'
+  spree_version = '>= 3.1.0', '< 4.1'
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_extension'
   s.add_dependency 'deface', '~> 1.0'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_auth_devise
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.0.1
 platform: ruby
 authors:
 - Sean Schofield
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-09-30 00:00:00.000000000 Z
+date: 2021-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -47,7 +47,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -57,7 +57,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: spree_extension
   requirement: !ruby/object:Gem::Requirement
@@ -319,7 +319,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -329,7 +329,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: spree_frontend
   requirement: !ruby/object:Gem::Requirement
@@ -339,7 +339,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -349,7 +349,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -504,6 +504,7 @@ files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb
@@ -522,7 +523,7 @@ homepage: https://spreecommerce.org
 licenses:
 - BSD-3-Clause
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -538,8 +539,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.0.2
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Provides authentication and authorization services for use with Spree by
   using Devise and CanCan.
@@ -571,6 +572,7 @@ test_files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb