spree_auth_devise 4.2.0 → 4.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 118d51e3f609cac9bc6a69453d96893824814d99a44e8be828741ebd410c9aa9
-  data.tar.gz: dcb44d6ef585b73b82665d12b04821e5f9d6393ef87626cbbd4091e060390365
+  metadata.gz: 7cd5aef076f37e51acf8e77f9dc7aa8c14b3c38d38bb58c689fca12e59d6fc82
+  data.tar.gz: df4827dc1c68ed09ad300257ae97c9a10ad88e564a629bff09cd9b8568df9c6f
 SHA512:
-  metadata.gz: 0e3de0c4e4fd5adf202a9fa312f6025eaef63d9b61c8024703b418dc911d9dab405c76d3c25c6ed3f7e7d84f1bb867c2874a21e08dad903618c8632cf087531a
-  data.tar.gz: d650a6a697c44abba86562a2bc94b98ba117ce74a4a57f614f6e210690ea4f44f8e21f64aaf8a55458b8323b0e8686a48f3b313453337635aae8ffd2fe944dc3
+  metadata.gz: 4a07f459d80a0260fd2a19a875d0ea6f392768c7d4a33db41574a238231e5a68234dc1e73c35d2287fb4eb73d9f30f9ac0ea1cbfb86af35fe5418fb061daf116
+  data.tar.gz: b14f4d2f862e49522de9f4704baa56bb81f876185ee693e27171a5ba68eb1abe5cc2c527a2fe8e4c1dfc01620765093d4edd8d62ca98471633f9163af2fd4eda

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
 gem 'rails-controller-testing'
-gem 'spree', github: 'spree/spree', branch: 'master'
+gem 'spree', '~> 4.2.0'
 
 gemspec

data/app/controllers/spree/user_confirmations_controller.rb

@@ -6,7 +6,16 @@ class Spree::UserConfirmationsController < Devise::ConfirmationsController
   include Spree::Core::ControllerHelpers::Order
   include Spree::Core::ControllerHelpers::Store
 
-  before_action :set_current_order
+  include SpreeI18n::ControllerLocaleHelper if defined?(SpreeI18n::ControllerLocaleHelper)
+
+  include Spree::Core::ControllerHelpers::Currency if defined?(Spree::Core::ControllerHelpers::Currency)
+  include Spree::Core::ControllerHelpers::Locale if defined?(Spree::Core::ControllerHelpers::Locale)
+
+  include Spree::LocaleUrls if defined?(Spree::LocaleUrls)
+
+  helper 'spree/locale' if defined?(Spree::LocaleHelper)
+  helper 'spree/currency' if defined?(Spree::CurrencyHelper)
+  helper 'spree/store' if defined?(Spree::StoreHelper)
 
   # GET /resource/confirmation?confirmation_token=abcdef
   def show

data/app/controllers/spree/user_passwords_controller.rb

@@ -6,9 +6,16 @@ class Spree::UserPasswordsController < Devise::PasswordsController
   include Spree::Core::ControllerHelpers::Order
   include Spree::Core::ControllerHelpers::Store
 
-  if defined?(SpreeI18n::ControllerLocaleHelper)
-    include SpreeI18n::ControllerLocaleHelper
-  end
+  include SpreeI18n::ControllerLocaleHelper if defined?(SpreeI18n::ControllerLocaleHelper)
+
+  include Spree::Core::ControllerHelpers::Currency if defined?(Spree::Core::ControllerHelpers::Currency)
+  include Spree::Core::ControllerHelpers::Locale if defined?(Spree::Core::ControllerHelpers::Locale)
+
+  include Spree::LocaleUrls if defined?(Spree::LocaleUrls)
+
+  helper 'spree/locale' if defined?(Spree::LocaleHelper)
+  helper 'spree/currency' if defined?(Spree::CurrencyHelper)
+  helper 'spree/store' if defined?(Spree::StoreHelper)
 
   before_action :set_current_order
 

data/app/controllers/spree/user_registrations_controller.rb

@@ -6,9 +6,16 @@ class Spree::UserRegistrationsController < Devise::RegistrationsController
   include Spree::Core::ControllerHelpers::Order
   include Spree::Core::ControllerHelpers::Store
 
-  if defined?(SpreeI18n::ControllerLocaleHelper)
-    include SpreeI18n::ControllerLocaleHelper
-  end
+  include SpreeI18n::ControllerLocaleHelper if defined?(SpreeI18n::ControllerLocaleHelper)
+
+  include Spree::Core::ControllerHelpers::Currency if defined?(Spree::Core::ControllerHelpers::Currency)
+  include Spree::Core::ControllerHelpers::Locale if defined?(Spree::Core::ControllerHelpers::Locale)
+
+  include Spree::LocaleUrls if defined?(Spree::LocaleUrls)
+
+  helper 'spree/locale' if defined?(Spree::LocaleHelper)
+  helper 'spree/currency' if defined?(Spree::CurrencyHelper)
+  helper 'spree/store' if defined?(Spree::StoreHelper)
 
   before_action :check_permissions, only: [:edit, :update]
   before_action :set_current_order

data/app/controllers/spree/user_sessions_controller.rb

@@ -6,9 +6,16 @@ class Spree::UserSessionsController < Devise::SessionsController
   include Spree::Core::ControllerHelpers::Order
   include Spree::Core::ControllerHelpers::Store
 
-  if defined?(SpreeI18n::ControllerLocaleHelper)
-    include SpreeI18n::ControllerLocaleHelper
-  end
+  include SpreeI18n::ControllerLocaleHelper if defined?(SpreeI18n::ControllerLocaleHelper)
+
+  include Spree::Core::ControllerHelpers::Currency if defined?(Spree::Core::ControllerHelpers::Currency)
+  include Spree::Core::ControllerHelpers::Locale if defined?(Spree::Core::ControllerHelpers::Locale)
+
+  include Spree::LocaleUrls if defined?(Spree::LocaleUrls)
+
+  helper 'spree/locale' if defined?(Spree::LocaleHelper)
+  helper 'spree/currency' if defined?(Spree::CurrencyHelper)
+  helper 'spree/store' if defined?(Spree::StoreHelper)
 
   before_action :set_current_order
 

data/lib/controllers/frontend/spree/users_controller.rb

@@ -1,11 +1,11 @@
 class Spree::UsersController < Spree::StoreController
   before_action :set_current_order, except: :show
-  prepend_before_action :load_object, only: [:show, :edit, :update]
   prepend_before_action :authorize_actions, only: :new
 
   include Spree::Core::ControllerHelpers
 
   def show
+    load_object
     @orders = @user.orders.complete.order('completed_at desc')
   end
 
@@ -23,7 +23,12 @@ class Spree::UsersController < Spree::StoreController
     end
   end
 
+  def edit
+    load_object
+  end
+
   def update
+    load_object
     if @user.update(user_params)
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes

data/spec/requests/spree/frontend/user_update_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+
+        example.run
+
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

data/spree_auth_devise.gemspec

@@ -3,7 +3,7 @@
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = 'spree_auth_devise'
-  s.version     = '4.2.0'
+  s.version     = '4.2.1'
   s.summary     = 'Provides authentication and authorization services for use with Spree by using Devise and CanCan.'
   s.description = s.summary
 
@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'devise', '~> 4.7'
   s.add_dependency 'devise-encryptable', '0.2.0'
 
-  spree_version = '>= 4.1', '< 5.0'
+  spree_version = '>= 4.1', '< 4.3'
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_extension'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spree_auth_devise
 version: !ruby/object:Gem::Version
-  version: 4.2.0
+  version: 4.2.1
 platform: ruby
 authors:
 - Sean Schofield
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-16 00:00:00.000000000 Z
+date: 2021-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: deface
@@ -61,7 +61,7 @@ dependencies:
         version: '4.1'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -71,7 +71,7 @@ dependencies:
         version: '4.1'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.3'
 - !ruby/object:Gem::Dependency
   name: spree_extension
   requirement: !ruby/object:Gem::Requirement
@@ -221,6 +221,7 @@ files:
 - spec/models/user_spec.rb
 - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
 - spec/requests/spree/api/v2/storefront/account_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/configuration_helpers.rb
@@ -248,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.2
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Provides authentication and authorization services for use with Spree by
@@ -284,6 +285,7 @@ test_files:
 - spec/models/user_spec.rb
 - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
 - spec/requests/spree/api/v2/storefront/account_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/configuration_helpers.rb