RubyGems - spree_auth_devise - Versions diffs - 4.0.0 → 4.0.1 - Mend

spree_auth_devise 4.0.0 → 4.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/controllers/frontend/spree/users_controller.rb +7 -2
data/spec/requests/spree/frontend/user_update_spec.rb +42 -0
data/spree_auth_devise.gemspec +2 -2
metadata +14 -12

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa05d3638b5f55b4d34d7fac9d9eb3cddf96eeb473f1d08fb6fc8ca479095e93
-  data.tar.gz: 5199a26bce744922a94d8364061020c9a7e7d45c7631398a19879a780b619ed5
+  metadata.gz: 0a4c46da7628319c592ae1a9675173fd8add8ca34dbb6fd7d5ffdb92345207c2
+  data.tar.gz: e6d9d38bc3e2fa09ff21fc024193160d04f2ba89c4439d8703b6a19f058a6fcd
 SHA512:
-  metadata.gz: b773b386f23743e4097751f8e471f34f984a4e34c6f20638ae6e011605c11dbb459d56c898c7b729053b59eafb30fd8aff3f481cd6dc8dda674c71cd668ba406
-  data.tar.gz: dbf83d876e7b4a8c86b8776e56462ab4c7cc33105db55d944d920cbbc96415ce4516fb981e9105650096591b400e38f4a00fd5a9da11518b710dc04d6d8636b0
+  metadata.gz: 7f0c22c01027c613ab423d73af40ce43f02d4a14e26c76865ecd5a381943c2049366c52f2386697c4fa6a394c15d10b91da06b47d563a6f0081e897e948f77a5
+  data.tar.gz: 235a7977bb12281f9c3a0f00c0b99b59f7ee63d609b34e413ab530b1e2fde43384bc82e0dce91b784abf8f3518ae72a61d022916ceaa110394466e1aff854f39

data/lib/controllers/frontend/spree/users_controller.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 class Spree::UsersController < Spree::StoreController
-  skip_before_action :set_current_order, only: :show
-  prepend_before_action :load_object, only: [:show, :edit, :update]
+skip_before_action :set_current_order, only: :show
   prepend_before_action :authorize_actions, only: :new
   include Spree::Core::ControllerHelpers
   def show
+    load_object
     @orders = @user.orders.complete.order('completed_at desc')
   end
@@ -23,7 +23,12 @@ class Spree::UsersController < Spree::StoreController
     end
   end
+  def edit
+    load_object
+  end
   def update
+    load_object
     if @user.update(user_params)
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes

data/spec/requests/spree/frontend/user_update_spec.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+        example.run
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

data/spree_auth_devise.gemspec CHANGED Viewed

@@ -3,7 +3,7 @@
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = 'spree_auth_devise'
-  s.version     = '4.0.0'
+  s.version     = '4.0.1'
   s.summary     = 'Provides authentication and authorization services for use with Spree by using Devise and CanCan.'
   s.description = s.summary
@@ -22,7 +22,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'devise', '~> 4.7'
   s.add_dependency 'devise-encryptable', '0.2.0'
-  spree_version = '>= 3.1.0', '< 5.0'
+  spree_version = '>= 3.1.0', '< 4.1'
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_extension'
   s.add_dependency 'deface', '~> 1.0'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_auth_devise
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.0.1
 platform: ruby
 authors:
 - Sean Schofield
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-09-30 00:00:00.000000000 Z
+date: 2021-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -47,7 +47,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -57,7 +57,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: spree_extension
   requirement: !ruby/object:Gem::Requirement
@@ -319,7 +319,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -329,7 +329,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: spree_frontend
   requirement: !ruby/object:Gem::Requirement
@@ -339,7 +339,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -349,7 +349,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -504,6 +504,7 @@ files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb
@@ -522,7 +523,7 @@ homepage: https://spreecommerce.org
 licenses:
 - BSD-3-Clause
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -538,8 +539,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.0.2
-signing_key:
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Provides authentication and authorization services for use with Spree by
   using Devise and CanCan.
@@ -571,6 +572,7 @@ test_files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb