spree_auth_devise 4.4.0 → 4.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dce7d97d09c213c428ce6ce21c81a2156cfa2dfd0e7373effda3980a6e4730dc
-  data.tar.gz: c5ab728a3019fe0117c9c6b0fb62d962092cb019ff81e861258daa0c26927537
+  metadata.gz: 565373eb7dea3f9d8862356201ff23400aae3c29f5b77114d223de0f146f4dda
+  data.tar.gz: '05666786abb74456941e152e4217e10e9bd26ac8f10655a069ad499c39410352'
 SHA512:
-  metadata.gz: bce33276ffcce416fb378d8c9e3fdae88efeec6166520e97304b8520263a667f2714d46ff724eacf004c34defbb876517979482824bd18e2ef2667c3b56f83b9
-  data.tar.gz: fd9b8eb25d08f6e98939d66a0a9b432452404a5d1ebf21572552ec611bfd11241cde424a910a02373f935cd8cdabd2259783f3c63019209fde2b0daafaafce21
+  metadata.gz: 89bfa5e3bbf864449b1937682af334f85201f484f23360d5dc40834a9a0d31999c06380531eb883f547dfe34e1df8072fb45c4707918d3eeeefc972649af8438
+  data.tar.gz: 39c55713494bd990c1cb8a7ff5f978227e8e62136564ae76c7f840b3028dcf30d86b8f6f2e94d52397aab7a66c2b0dc96804c4e3cd0b65454b9cd89a64c7a129

data/Gemfile

@@ -1,10 +1,10 @@
 source 'https://rubygems.org'
 
 gem 'rails-controller-testing'
-gem 'spree', github: 'spree/spree', branch: 'main'
-gem 'spree_backend', github: 'spree/spree', branch: 'main'
-gem 'spree_frontend', github: 'spree/spree', branch: 'main'
-gem 'spree_emails', github: 'spree/spree', branch: 'main'
+gem 'spree', '~> 4.3.0'
+gem 'spree_backend', '~> 4.3.0'
+gem 'spree_frontend', '~> 4.3.0'
+gem 'spree_emails', '~> 4.3.0'
 
 gem 'pry', '~> 0.14.1'
 gemspec

data/lib/controllers/frontend/spree/users_controller.rb

@@ -1,14 +1,18 @@
 class Spree::UsersController < Spree::StoreController
   before_action :set_current_order, except: :show
-  prepend_before_action :load_object, only: [:show, :edit, :update]
   prepend_before_action :authorize_actions, only: :new
 
   include Spree::Core::ControllerHelpers
 
   def show
+    load_object
     @orders = @user.orders.for_store(current_store).complete.order('completed_at desc')
   end
 
+  def edit
+    load_object
+  end
+
   def create
     @user = Spree.user_class.new(user_params)
     if @user.save
@@ -24,6 +28,7 @@ class Spree::UsersController < Spree::StoreController
   end
 
   def update
+    load_object
     if @user.update(user_params)
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes

data/lib/spree/auth/version.rb

@@ -1,6 +1,6 @@
 module Spree
   module Auth
-    VERSION = '4.4.0'.freeze
+    VERSION = '4.4.1'.freeze
 
     def gem_version
       Gem::Version.new(VERSION)

data/spec/requests/spree/frontend/user_update_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+
+        example.run
+
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_auth_devise
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.4.1
 platform: ruby
 authors:
 - Sean Schofield
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-14 00:00:00.000000000 Z
+date: 2021-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -201,6 +201,7 @@ files:
 - spec/models/user_spec.rb
 - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
 - spec/requests/spree/api/v2/storefront/account_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/configuration_helpers.rb
@@ -212,9 +213,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree_auth_devise/issues
-  changelog_uri: https://github.com/spree/spree_auth_devise/releases/tag/v4.4.0
+  changelog_uri: https://github.com/spree/spree_auth_devise/releases/tag/v4.4.1
   documentation_uri: https://guides.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree_auth_devise/tree/v4.4.0
+  source_code_uri: https://github.com/spree/spree_auth_devise/tree/v4.4.1
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -267,6 +268,7 @@ test_files:
 - spec/models/user_spec.rb
 - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
 - spec/requests/spree/api/v2/storefront/account_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/configuration_helpers.rb