spree_auth_devise 4.0.0 → 4.0.1
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0a4c46da7628319c592ae1a9675173fd8add8ca34dbb6fd7d5ffdb92345207c2
|
4
|
+
data.tar.gz: e6d9d38bc3e2fa09ff21fc024193160d04f2ba89c4439d8703b6a19f058a6fcd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7f0c22c01027c613ab423d73af40ce43f02d4a14e26c76865ecd5a381943c2049366c52f2386697c4fa6a394c15d10b91da06b47d563a6f0081e897e948f77a5
|
7
|
+
data.tar.gz: 235a7977bb12281f9c3a0f00c0b99b59f7ee63d609b34e413ab530b1e2fde43384bc82e0dce91b784abf8f3518ae72a61d022916ceaa110394466e1aff854f39
|
@@ -1,11 +1,11 @@
|
|
1
1
|
class Spree::UsersController < Spree::StoreController
|
2
|
-
|
3
|
-
prepend_before_action :load_object, only: [:show, :edit, :update]
|
2
|
+
skip_before_action :set_current_order, only: :show
|
4
3
|
prepend_before_action :authorize_actions, only: :new
|
5
4
|
|
6
5
|
include Spree::Core::ControllerHelpers
|
7
6
|
|
8
7
|
def show
|
8
|
+
load_object
|
9
9
|
@orders = @user.orders.complete.order('completed_at desc')
|
10
10
|
end
|
11
11
|
|
@@ -23,7 +23,12 @@ class Spree::UsersController < Spree::StoreController
|
|
23
23
|
end
|
24
24
|
end
|
25
25
|
|
26
|
+
def edit
|
27
|
+
load_object
|
28
|
+
end
|
29
|
+
|
26
30
|
def update
|
31
|
+
load_object
|
27
32
|
if @user.update(user_params)
|
28
33
|
if params[:user][:password].present?
|
29
34
|
# this logic needed b/c devise wants to log us out after password changes
|
@@ -0,0 +1,42 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
RSpec.feature 'User update', type: :request do
|
4
|
+
context 'CSRF protection' do
|
5
|
+
%i[exception reset_session null_session].each do |strategy|
|
6
|
+
# Completely clean the configuration of forgery protection for the
|
7
|
+
# controller and reset it after the expectations. However, besides `:with`,
|
8
|
+
# the options given to `protect_from_forgery` are processed on the fly.
|
9
|
+
# I.e., there's no way to retain them. The initial setup corresponds to the
|
10
|
+
# dummy application, which uses the default Rails skeleton in that regard.
|
11
|
+
# So, if at some point Rails changed the given options, we should update it
|
12
|
+
# here.
|
13
|
+
around do |example|
|
14
|
+
controller = Spree::UsersController
|
15
|
+
old_allow_forgery_protection_value = controller.allow_forgery_protection
|
16
|
+
old_forgery_protection_strategy = controller.forgery_protection_strategy
|
17
|
+
controller.skip_forgery_protection
|
18
|
+
controller.allow_forgery_protection = true
|
19
|
+
controller.protect_from_forgery with: strategy
|
20
|
+
|
21
|
+
example.run
|
22
|
+
|
23
|
+
controller.allow_forgery_protection = old_allow_forgery_protection_value
|
24
|
+
controller.forgery_protection_strategy = old_forgery_protection_strategy
|
25
|
+
end
|
26
|
+
|
27
|
+
it "is not possible to take account over with the #{strategy} forgery protection strategy" do
|
28
|
+
user = create(:user, email: 'legit@mail.com', password: 'password')
|
29
|
+
|
30
|
+
post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
|
31
|
+
begin
|
32
|
+
put '/users/123456', params: 'user[email]=hacked@example.com'
|
33
|
+
rescue
|
34
|
+
# testing that the account is not compromised regardless of any raised
|
35
|
+
# exception
|
36
|
+
end
|
37
|
+
|
38
|
+
expect(user.reload.email).to eq('legit@mail.com')
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
data/spree_auth_devise.gemspec
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
Gem::Specification.new do |s|
|
4
4
|
s.platform = Gem::Platform::RUBY
|
5
5
|
s.name = 'spree_auth_devise'
|
6
|
-
s.version = '4.0.
|
6
|
+
s.version = '4.0.1'
|
7
7
|
s.summary = 'Provides authentication and authorization services for use with Spree by using Devise and CanCan.'
|
8
8
|
s.description = s.summary
|
9
9
|
|
@@ -22,7 +22,7 @@ Gem::Specification.new do |s|
|
|
22
22
|
s.add_dependency 'devise', '~> 4.7'
|
23
23
|
s.add_dependency 'devise-encryptable', '0.2.0'
|
24
24
|
|
25
|
-
spree_version = '>= 3.1.0', '<
|
25
|
+
spree_version = '>= 3.1.0', '< 4.1'
|
26
26
|
s.add_dependency 'spree_core', spree_version
|
27
27
|
s.add_dependency 'spree_extension'
|
28
28
|
s.add_dependency 'deface', '~> 1.0'
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: spree_auth_devise
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.
|
4
|
+
version: 4.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sean Schofield
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-11-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: devise
|
@@ -47,7 +47,7 @@ dependencies:
|
|
47
47
|
version: 3.1.0
|
48
48
|
- - "<"
|
49
49
|
- !ruby/object:Gem::Version
|
50
|
-
version: '
|
50
|
+
version: '4.1'
|
51
51
|
type: :runtime
|
52
52
|
prerelease: false
|
53
53
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -57,7 +57,7 @@ dependencies:
|
|
57
57
|
version: 3.1.0
|
58
58
|
- - "<"
|
59
59
|
- !ruby/object:Gem::Version
|
60
|
-
version: '
|
60
|
+
version: '4.1'
|
61
61
|
- !ruby/object:Gem::Dependency
|
62
62
|
name: spree_extension
|
63
63
|
requirement: !ruby/object:Gem::Requirement
|
@@ -319,7 +319,7 @@ dependencies:
|
|
319
319
|
version: 3.1.0
|
320
320
|
- - "<"
|
321
321
|
- !ruby/object:Gem::Version
|
322
|
-
version: '
|
322
|
+
version: '4.1'
|
323
323
|
type: :development
|
324
324
|
prerelease: false
|
325
325
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -329,7 +329,7 @@ dependencies:
|
|
329
329
|
version: 3.1.0
|
330
330
|
- - "<"
|
331
331
|
- !ruby/object:Gem::Version
|
332
|
-
version: '
|
332
|
+
version: '4.1'
|
333
333
|
- !ruby/object:Gem::Dependency
|
334
334
|
name: spree_frontend
|
335
335
|
requirement: !ruby/object:Gem::Requirement
|
@@ -339,7 +339,7 @@ dependencies:
|
|
339
339
|
version: 3.1.0
|
340
340
|
- - "<"
|
341
341
|
- !ruby/object:Gem::Version
|
342
|
-
version: '
|
342
|
+
version: '4.1'
|
343
343
|
type: :development
|
344
344
|
prerelease: false
|
345
345
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -349,7 +349,7 @@ dependencies:
|
|
349
349
|
version: 3.1.0
|
350
350
|
- - "<"
|
351
351
|
- !ruby/object:Gem::Version
|
352
|
-
version: '
|
352
|
+
version: '4.1'
|
353
353
|
- !ruby/object:Gem::Dependency
|
354
354
|
name: sqlite3
|
355
355
|
requirement: !ruby/object:Gem::Requirement
|
@@ -504,6 +504,7 @@ files:
|
|
504
504
|
- spec/mailers/user_mailer_spec.rb
|
505
505
|
- spec/models/order_spec.rb
|
506
506
|
- spec/models/user_spec.rb
|
507
|
+
- spec/requests/spree/frontend/user_update_spec.rb
|
507
508
|
- spec/spec_helper.rb
|
508
509
|
- spec/support/ability.rb
|
509
510
|
- spec/support/add_to_cart.rb
|
@@ -522,7 +523,7 @@ homepage: https://spreecommerce.org
|
|
522
523
|
licenses:
|
523
524
|
- BSD-3-Clause
|
524
525
|
metadata: {}
|
525
|
-
post_install_message:
|
526
|
+
post_install_message:
|
526
527
|
rdoc_options: []
|
527
528
|
require_paths:
|
528
529
|
- lib
|
@@ -538,8 +539,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
538
539
|
version: '0'
|
539
540
|
requirements:
|
540
541
|
- none
|
541
|
-
rubygems_version: 3.
|
542
|
-
signing_key:
|
542
|
+
rubygems_version: 3.1.4
|
543
|
+
signing_key:
|
543
544
|
specification_version: 4
|
544
545
|
summary: Provides authentication and authorization services for use with Spree by
|
545
546
|
using Devise and CanCan.
|
@@ -571,6 +572,7 @@ test_files:
|
|
571
572
|
- spec/mailers/user_mailer_spec.rb
|
572
573
|
- spec/models/order_spec.rb
|
573
574
|
- spec/models/user_spec.rb
|
575
|
+
- spec/requests/spree/frontend/user_update_spec.rb
|
574
576
|
- spec/spec_helper.rb
|
575
577
|
- spec/support/ability.rb
|
576
578
|
- spec/support/add_to_cart.rb
|