spree_auth_devise 4.1.0 → 4.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7803bda30cc0ed9cca3df5b201c6f53e53ed57841dd26c18eecaad80888779e6
-  data.tar.gz: 615ee2f16b67ed9e082c55c2f3b011ffedd363f7ac83d392819ef6a8f24da7b0
+  metadata.gz: 46ff8af21fa16c063b0f61f5993e37f93072587b1e663e58089b2ea0a028b51b
+  data.tar.gz: 6d7fa7607dd17ff3b6c5231bd8295c5fef51ea7620e1e459d199b39b42649858
 SHA512:
-  metadata.gz: f2fddae86244f213dcdb77ab7f4ef0658b8d9ca3255b43b7d3e53ca0f750479ce0b0d7b80ec59d7a820aa0f17ee670a5b6fd34a485b826681f73b0b972a484bd
-  data.tar.gz: ec8035b779912362315ada27d8ab6bc69152609e7776d155e7f14a8a2a4fa7920d0e0a89d16968b55cef5e018bcbe967cb70f767917c077915ed40b19cdf1672
+  metadata.gz: 1eefe313a0b7cd621e9192d483624541790292872576927da6089350aaa14352faa00e0b2dd8f36d2920b9faf4776cc5287df6c5308d2bce9111ec95228f26a1
+  data.tar.gz: 3e941ccde2788291ec91709149786c03dab905cf142811186a43949c3ce6549b89306e8ceb7692070dbb1a7a92ef306ae0adc808d62bb18d1ad27404afbc24f0

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
 gem 'rails-controller-testing'
-gem 'spree', github: 'spree/spree', branch: 'master'
+gem 'spree', '~> 4.1.0'
 
 gemspec

data/lib/controllers/frontend/spree/users_controller.rb

@@ -1,14 +1,18 @@
 class Spree::UsersController < Spree::StoreController
   before_action :set_current_order, except: :show
-  prepend_before_action :load_object, only: [:show, :edit, :update]
   prepend_before_action :authorize_actions, only: :new
 
   include Spree::Core::ControllerHelpers
 
   def show
+    load_object
     @orders = @user.orders.complete.order('completed_at desc')
   end
 
+  def edit
+    load_object
+  end
+
   def create
     @user = Spree.user_class.new(user_params)
     if @user.save
@@ -24,6 +28,7 @@ class Spree::UsersController < Spree::StoreController
   end
 
   def update
+    load_object
     if @user.update(user_params)
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes

data/spec/requests/spree/frontend/user_update_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+
+        example.run
+
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

data/spree_auth_devise.gemspec

@@ -3,7 +3,7 @@
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = 'spree_auth_devise'
-  s.version     = '4.1.0'
+  s.version     = '4.1.1'
   s.summary     = 'Provides authentication and authorization services for use with Spree by using Devise and CanCan.'
   s.description = s.summary
 
@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'devise', '~> 4.7'
   s.add_dependency 'devise-encryptable', '0.2.0'
 
-  spree_version = '>= 4.1.0.alpha', '< 5.0'
+  spree_version = '>= 4.1.0.alpha', '< 4.2'
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_extension'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_auth_devise
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.1.1
 platform: ruby
 authors:
 - Sean Schofield
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-02-20 00:00:00.000000000 Z
+date: 2021-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: deface
@@ -61,7 +61,7 @@ dependencies:
         version: 4.1.0.alpha
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -71,7 +71,7 @@ dependencies:
         version: 4.1.0.alpha
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.2'
 - !ruby/object:Gem::Dependency
   name: spree_extension
   requirement: !ruby/object:Gem::Requirement
@@ -361,7 +361,7 @@ dependencies:
         version: 4.1.0.alpha
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -371,7 +371,7 @@ dependencies:
         version: 4.1.0.alpha
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.2'
 - !ruby/object:Gem::Dependency
   name: spree_frontend
   requirement: !ruby/object:Gem::Requirement
@@ -381,7 +381,7 @@ dependencies:
         version: 4.1.0.alpha
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -391,7 +391,7 @@ dependencies:
         version: 4.1.0.alpha
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.2'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -532,6 +532,7 @@ files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb
@@ -550,7 +551,7 @@ homepage: https://spreecommerce.org
 licenses:
 - BSD-3-Clause
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -566,8 +567,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.0.2
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Provides authentication and authorization services for use with Spree by
   using Devise and CanCan.
@@ -599,6 +600,7 @@ test_files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb