spree_auth_devise 4.4.0 → 4.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: dce7d97d09c213c428ce6ce21c81a2156cfa2dfd0e7373effda3980a6e4730dc
4
- data.tar.gz: c5ab728a3019fe0117c9c6b0fb62d962092cb019ff81e861258daa0c26927537
3
+ metadata.gz: 565373eb7dea3f9d8862356201ff23400aae3c29f5b77114d223de0f146f4dda
4
+ data.tar.gz: '05666786abb74456941e152e4217e10e9bd26ac8f10655a069ad499c39410352'
5
5
  SHA512:
6
- metadata.gz: bce33276ffcce416fb378d8c9e3fdae88efeec6166520e97304b8520263a667f2714d46ff724eacf004c34defbb876517979482824bd18e2ef2667c3b56f83b9
7
- data.tar.gz: fd9b8eb25d08f6e98939d66a0a9b432452404a5d1ebf21572552ec611bfd11241cde424a910a02373f935cd8cdabd2259783f3c63019209fde2b0daafaafce21
6
+ metadata.gz: 89bfa5e3bbf864449b1937682af334f85201f484f23360d5dc40834a9a0d31999c06380531eb883f547dfe34e1df8072fb45c4707918d3eeeefc972649af8438
7
+ data.tar.gz: 39c55713494bd990c1cb8a7ff5f978227e8e62136564ae76c7f840b3028dcf30d86b8f6f2e94d52397aab7a66c2b0dc96804c4e3cd0b65454b9cd89a64c7a129
data/Gemfile CHANGED
@@ -1,10 +1,10 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
3
  gem 'rails-controller-testing'
4
- gem 'spree', github: 'spree/spree', branch: 'main'
5
- gem 'spree_backend', github: 'spree/spree', branch: 'main'
6
- gem 'spree_frontend', github: 'spree/spree', branch: 'main'
7
- gem 'spree_emails', github: 'spree/spree', branch: 'main'
4
+ gem 'spree', '~> 4.3.0'
5
+ gem 'spree_backend', '~> 4.3.0'
6
+ gem 'spree_frontend', '~> 4.3.0'
7
+ gem 'spree_emails', '~> 4.3.0'
8
8
 
9
9
  gem 'pry', '~> 0.14.1'
10
10
  gemspec
@@ -1,14 +1,18 @@
1
1
  class Spree::UsersController < Spree::StoreController
2
2
  before_action :set_current_order, except: :show
3
- prepend_before_action :load_object, only: [:show, :edit, :update]
4
3
  prepend_before_action :authorize_actions, only: :new
5
4
 
6
5
  include Spree::Core::ControllerHelpers
7
6
 
8
7
  def show
8
+ load_object
9
9
  @orders = @user.orders.for_store(current_store).complete.order('completed_at desc')
10
10
  end
11
11
 
12
+ def edit
13
+ load_object
14
+ end
15
+
12
16
  def create
13
17
  @user = Spree.user_class.new(user_params)
14
18
  if @user.save
@@ -24,6 +28,7 @@ class Spree::UsersController < Spree::StoreController
24
28
  end
25
29
 
26
30
  def update
31
+ load_object
27
32
  if @user.update(user_params)
28
33
  if params[:user][:password].present?
29
34
  # this logic needed b/c devise wants to log us out after password changes
@@ -1,6 +1,6 @@
1
1
  module Spree
2
2
  module Auth
3
- VERSION = '4.4.0'.freeze
3
+ VERSION = '4.4.1'.freeze
4
4
 
5
5
  def gem_version
6
6
  Gem::Version.new(VERSION)
@@ -0,0 +1,42 @@
1
+ # frozen_string_literal: true
2
+
3
+ RSpec.feature 'User update', type: :request do
4
+ context 'CSRF protection' do
5
+ %i[exception reset_session null_session].each do |strategy|
6
+ # Completely clean the configuration of forgery protection for the
7
+ # controller and reset it after the expectations. However, besides `:with`,
8
+ # the options given to `protect_from_forgery` are processed on the fly.
9
+ # I.e., there's no way to retain them. The initial setup corresponds to the
10
+ # dummy application, which uses the default Rails skeleton in that regard.
11
+ # So, if at some point Rails changed the given options, we should update it
12
+ # here.
13
+ around do |example|
14
+ controller = Spree::UsersController
15
+ old_allow_forgery_protection_value = controller.allow_forgery_protection
16
+ old_forgery_protection_strategy = controller.forgery_protection_strategy
17
+ controller.skip_forgery_protection
18
+ controller.allow_forgery_protection = true
19
+ controller.protect_from_forgery with: strategy
20
+
21
+ example.run
22
+
23
+ controller.allow_forgery_protection = old_allow_forgery_protection_value
24
+ controller.forgery_protection_strategy = old_forgery_protection_strategy
25
+ end
26
+
27
+ it "is not possible to take account over with the #{strategy} forgery protection strategy" do
28
+ user = create(:user, email: 'legit@mail.com', password: 'password')
29
+
30
+ post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
31
+ begin
32
+ put '/users/123456', params: 'user[email]=hacked@example.com'
33
+ rescue
34
+ # testing that the account is not compromised regardless of any raised
35
+ # exception
36
+ end
37
+
38
+ expect(user.reload.email).to eq('legit@mail.com')
39
+ end
40
+ end
41
+ end
42
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: spree_auth_devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.4.0
4
+ version: 4.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sean Schofield
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-09-14 00:00:00.000000000 Z
12
+ date: 2021-11-17 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: devise
@@ -201,6 +201,7 @@ files:
201
201
  - spec/models/user_spec.rb
202
202
  - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
203
203
  - spec/requests/spree/api/v2/storefront/account_spec.rb
204
+ - spec/requests/spree/frontend/user_update_spec.rb
204
205
  - spec/spec_helper.rb
205
206
  - spec/support/ability.rb
206
207
  - spec/support/configuration_helpers.rb
@@ -212,9 +213,9 @@ licenses:
212
213
  - BSD-3-Clause
213
214
  metadata:
214
215
  bug_tracker_uri: https://github.com/spree/spree_auth_devise/issues
215
- changelog_uri: https://github.com/spree/spree_auth_devise/releases/tag/v4.4.0
216
+ changelog_uri: https://github.com/spree/spree_auth_devise/releases/tag/v4.4.1
216
217
  documentation_uri: https://guides.spreecommerce.org/
217
- source_code_uri: https://github.com/spree/spree_auth_devise/tree/v4.4.0
218
+ source_code_uri: https://github.com/spree/spree_auth_devise/tree/v4.4.1
218
219
  post_install_message:
219
220
  rdoc_options: []
220
221
  require_paths:
@@ -267,6 +268,7 @@ test_files:
267
268
  - spec/models/user_spec.rb
268
269
  - spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb
269
270
  - spec/requests/spree/api/v2/storefront/account_spec.rb
271
+ - spec/requests/spree/frontend/user_update_spec.rb
270
272
  - spec/spec_helper.rb
271
273
  - spec/support/ability.rb
272
274
  - spec/support/configuration_helpers.rb