spree_auth_devise 4.4.0 → 4.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: dce7d97d09c213c428ce6ce21c81a2156cfa2dfd0e7373effda3980a6e4730dc
4
- data.tar.gz: c5ab728a3019fe0117c9c6b0fb62d962092cb019ff81e861258daa0c26927537
3
+ metadata.gz: 565373eb7dea3f9d8862356201ff23400aae3c29f5b77114d223de0f146f4dda
4
+ data.tar.gz: '05666786abb74456941e152e4217e10e9bd26ac8f10655a069ad499c39410352'
5
5
  SHA512:
6
- metadata.gz: bce33276ffcce416fb378d8c9e3fdae88efeec6166520e97304b8520263a667f2714d46ff724eacf004c34defbb876517979482824bd18e2ef2667c3b56f83b9
7
- data.tar.gz: fd9b8eb25d08f6e98939d66a0a9b432452404a5d1ebf21572552ec611bfd11241cde424a910a02373f935cd8cdabd2259783f3c63019209fde2b0daafaafce21
6
+ metadata.gz: 89bfa5e3bbf864449b1937682af334f85201f484f23360d5dc40834a9a0d31999c06380531eb883f547dfe34e1df8072fb45c4707918d3eeeefc972649af8438
7
+ data.tar.gz: 39c55713494bd990c1cb8a7ff5f978227e8e62136564ae76c7f840b3028dcf30d86b8f6f2e94d52397aab7a66c2b0dc96804c4e3cd0b65454b9cd89a64c7a129
data/Gemfile CHANGED
@@ -1,10 +1,10 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails-controller-testing'
4
- gem 'spree', github: 'spree/spree', branch: 'main'
5
- gem 'spree_backend', github: 'spree/spree', branch: 'main'
6
- gem 'spree_frontend', github: 'spree/spree', branch: 'main'
7
- gem 'spree_emails', github: 'spree/spree', branch: 'main'
4
+ gem 'spree', '~> 4.3.0'
5
+ gem 'spree_backend', '~> 4.3.0'
6
+ gem 'spree_frontend', '~> 4.3.0'
7
+ gem 'spree_emails', '~> 4.3.0'
8
8
 
9
9
  gem 'pry', '~> 0.14.1'
10
10
  gemspec
@@ -1,14 +1,18 @@
1
1
  class Spree::UsersController < Spree::StoreController
2
2
  before_action :set_current_order, except: :show
3
- prepend_before_action :load_object, only: [:show, :edit, :update]
4
3
  prepend_before_action :authorize_actions, only: :new
5
4
 
6
5
  include Spree::Core::ControllerHelpers
7
6
 
8
7
  def show
8
+ load_object
9
9
  @orders = @user.orders.for_store(current_store).complete.order('completed_at desc')
10
10
  end
11
11
 
12
+ def edit
13
+ load_object
14
+ end
15
+
12
16
  def create
13
17
  @user = Spree.user_class.new(user_params)
14
18
  if @user.save
@@ -24,6 +28,7 @@ class Spree::UsersController < Spree::StoreController
24
28
  end
25
29
 
26
30
  def update
31
+ load_object
27
32
  if @user.update(user_params)
28
33
  if params[:user][:password].present?
29
34
  # this logic needed b/c devise wants to log us out after password changes
@@ -1,6 +1,6 @@
1
1
  module Spree
2
2
  module Auth
3
- VERSION = '4.4.0'.freeze
3
+ VERSION = '4.4.1'.freeze
4
4
 
5
5
  def gem_version
6
6
  Gem::Version.new(VERSION)
@@ -0,0 +1,42 @@
1
+ # frozen_string_literal: true
2
+
3
+ RSpec.feature 'User update', type: :request do
4
+ context 'CSRF protection' do
5
+ %i[exception reset_session null_session].each do |strategy|
6
+ # Completely clean the configuration of forgery protection for the
7
+ # controller and reset it after the expectations. However, besides `:with`,
8
+ # the options given to `protect_from_forgery` are processed on the fly.
9
+ # I.e., there's no way to retain them. The initial setup corresponds to the
10
+ # dummy application, which uses the default Rails skeleton in that regard.
11
+ # So, if at some point Rails changed the given options, we should update it
12
+ # here.
13
+ around do |example|
14
+ controller = Spree::UsersController
15
+ old_allow_forgery_protection_value = controller.allow_forgery_protection
16
+ old_forgery_protection_strategy = controller.forgery_protection_strategy
17
+ controller.skip_forgery_protection
18
+ controller.allow_forgery_protection = true
19
+ controller.protect_from_forgery with: strategy
20
+
21
+ example.run
22
+
23
+ controller.allow_forgery_protection = old_allow_forgery_protection_value
24
+ controller.forgery_protection_strategy = old_forgery_protection_strategy
25
+ end
26
+
27
+ it "is not possible to take account over with the #{strategy} forgery protection strategy" do
28
+ user = create(:user, email: 'legit@mail.com', password: 'password')
29
+
30
+ post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
31
+ begin
32
+ put '/users/123456', params: 'user[email]=hacked@example.com'
33
+ rescue
34
+ # testing that the account is not compromised regardless of any raised
35
+ # exception
36
+ end
37
+
38
+ expect(user.reload.email).to eq('legit@mail.com')
39
+ end
40
+ end
41
+ end
42
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: spree_auth_devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.4.0
4
+ version: 4.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sean Schofield
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-09-14 00:00:00.000000000 Z
12
+ date: 2021-11-17 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: devise
@@ -201,6 +201,7 @@ files:
201
201
  - spec/models/user_spec.rb
202
202
  - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
203
203
  - spec/requests/spree/api/v2/storefront/account_spec.rb
204
+ - spec/requests/spree/frontend/user_update_spec.rb
204
205
  - spec/spec_helper.rb
205
206
  - spec/support/ability.rb
206
207
  - spec/support/configuration_helpers.rb
@@ -212,9 +213,9 @@ licenses:
212
213
  - BSD-3-Clause
213
214
  metadata:
214
215
  bug_tracker_uri: https://github.com/spree/spree_auth_devise/issues
215
- changelog_uri: https://github.com/spree/spree_auth_devise/releases/tag/v4.4.0
216
+ changelog_uri: https://github.com/spree/spree_auth_devise/releases/tag/v4.4.1
216
217
  documentation_uri: https://guides.spreecommerce.org/
217
- source_code_uri: https://github.com/spree/spree_auth_devise/tree/v4.4.0
218
+ source_code_uri: https://github.com/spree/spree_auth_devise/tree/v4.4.1
218
219
  post_install_message:
219
220
  rdoc_options: []
220
221
  require_paths:
@@ -267,6 +268,7 @@ test_files:
267
268
  - spec/models/user_spec.rb
268
269
  - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
269
270
  - spec/requests/spree/api/v2/storefront/account_spec.rb
271
+ - spec/requests/spree/frontend/user_update_spec.rb
270
272
  - spec/spec_helper.rb
271
273
  - spec/support/ability.rb
272
274
  - spec/support/configuration_helpers.rb