RubyGems - spree_core - Versions diffs - 4.0.0 → 4.6.0 - Mend

spree_core 4.0.0 → 4.6.0

Files changed (764) hide show

data/app/sorters/spree/base_sorter.rb ADDED Viewed

@@ -0,0 +1,47 @@
+module Spree
+  class BaseSorter
+    def initialize(scope, params = {}, allowed_sort_attributes = [])
+      @scope = scope
+      @allowed_sort_attributes = allowed_sort_attributes
+      @sort = sort_fields(params[:sort])
+    end
+    def call
+      by_param_attributes(scope)
+    end
+    protected
+    attr_reader :scope, :collection, :sort, :allowed_sort_attributes
+    def by_param_attributes(scope)
+      return scope if sort.empty?
+      sort.each do |value, order|
+        next if value.blank? || allowed_sort_attributes.exclude?(value.to_sym)
+        scope = scope.order("#{value}": order)
+      end
+      scope
+    end
+    def sort_fields(sort)
+      return [] if sort.nil?
+      sort.split(',').map { |field| [sort_field(field), order_direction(field)] }
+    end
+    def desc_order(field)
+      String(field)[0] == '-'
+    end
+    def sort_field(field)
+      desc_order(field) ? field[1..-1] : field
+    end
+    def order_direction(field)
+      desc_order(field) ? :desc : :asc
+    end
+  end
+end

data/app/sorters/spree/orders/sort.rb CHANGED Viewed

@@ -1,42 +1,6 @@
 module Spree
   module Orders
-    class Sort
-      attr_reader :scope, :sort
-      def initialize(scope, params)
-        @scope = scope
-        @sort = params[:sort]
-      end
-      def call
-        orders = completed_at(scope)
-        orders
-      end
-      private
-      def desc_order
-        @desc_order ||= String(sort)[0] == '-'
-      end
-      def sort_field
-        @sort_field ||= desc_order ? sort[1..-1] : sort
-      end
-      def order_direction
-        desc_order ? :asc : :desc
-      end
-      def completed_at?
-        sort_field.eql?('completed_at')
-      end
-      def completed_at(orders)
-        return orders unless completed_at?
-        orders.order(completed_at: order_direction)
-      end
+    class Sort < ::Spree::BaseSorter
     end
   end
 end

data/app/sorters/spree/products/sort.rb CHANGED Viewed

@@ -1,57 +1,73 @@
 module Spree
   module Products
-    class Sort
-      def initialize(scope, params, current_currency)
-        @scope    = scope
-        @sort     = params[:sort]
+    class Sort < ::Spree::BaseSorter
+      def initialize(scope, current_currency, params = {}, allowed_sort_attributes = [])
+        super(scope, params, allowed_sort_attributes)
         @currency = params[:currency] || current_currency
       end
       def call
-        products = updated_at(scope)
-        products = price(products)
+        products = by_param_attributes(scope)
+        products = by_price(products)
+        products = by_sku(products)
-        products
+        products = select_translatable_fields(products)
+        products.distinct
       end
       private
-      attr_reader :sort, :scope, :currency
+      attr_reader :sort, :scope, :currency, :allowed_sort_attributes
-      def desc_order
-        @desc_order ||= String(sort)[0] == '-'
-      end
+      def by_price(scope)
+        return scope unless (value = sort_by?('price'))
-      def sort_field
-        @sort_field ||= desc_order ? sort[1..-1] : sort
+        scope.joins(master: :prices).
+          select("#{Spree::Product.table_name}.*, #{Spree::Price.table_name}.amount").
+          distinct.
+          where(spree_prices: { currency: currency }).
+          order("#{Spree::Price.table_name}.amount #{value[1]}")
       end
-      def updated_at?
-        sort_field == 'updated_at'
-      end
+      def by_sku(scope)
+        return scope unless (value = sort_by?('sku'))
-      def price?
-        sort_field == 'price'
+        select_product_attributes = if scope.to_sql.include?("#{Spree::Product.table_name}.*")
+                                      ''
+                                    else
+                                      "#{Spree::Product.table_name}.*, "
+                                    end
+        scope.joins(:master).
+          select("#{select_product_attributes}#{Spree::Variant.table_name}.sku").
+          where(Spree::Variant.table_name.to_s => { is_master: true }).
+          order("#{Spree::Variant.table_name}.sku #{value[1]}")
       end
-      def order_direction
-        desc_order ? :desc : :asc
+      def sort_by?(field)
+        sort.detect { |s| s[0] == field }
       end
-      def updated_at(products)
-        return products unless updated_at?
+      # Add translatable fields to SELECT statement to avoid InvalidColumnReference error (workaround for Mobility issue #596)
+      def select_translatable_fields(scope)
+        translatable_fields = translatable_sortable_fields
+        return scope if translatable_fields.empty?
-        products.order(updated_at: order_direction)
+        # if sorting by 'sku' or 'price', spree_products.* is already included in SELECT statement
+        if sort_by?('sku') || sort_by?('price')
+          scope.i18n.select(*translatable_fields)
+        else
+          scope.i18n.select("#{Product.table_name}.*").select(*translatable_fields)
+        end
       end
-      def price(products)
-        return products unless price?
-        products.joins(master: :prices).
-          select("#{Spree::Product.table_name}.*, #{Spree::Price.table_name}.amount").
-          distinct.
-          where(spree_prices: { currency: currency }).
-          order("#{Spree::Price.table_name}.amount #{order_direction}")
+      def translatable_sortable_fields
+        fields = []
+        Product.translatable_fields.each do |field|
+          fields << field if sort_by?(field.to_s)
+        end
+        fields
       end
     end
   end

data/app/validators/db_maximum_length_validator.rb CHANGED Viewed

@@ -2,6 +2,11 @@
 # Validates a field based on the maximum length of the underlying DB field, if there is one.
 class DbMaximumLengthValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
+    ActiveSupport::Deprecation.warn(<<-DEPRECATION, caller)
+      `DbMaximumLengthValidator` is deprecated and will be removed in Spree 5.0.
+      Please remove any `db_maximum_length: true` validations from your codebase
+    DEPRECATION
     limit = if defined?(Globalize)
               record.class.translation_class.columns_hash[attribute.to_s].limit
             else

data/app/validators/email_validator.rb CHANGED Viewed

@@ -1,7 +1,9 @@
 class EmailValidator < ActiveModel::EachValidator
+  EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-]+(\.[a-z\d\-]+)*\.[a-z]+\z/i
   def validate_each(record, attribute, value)
-    unless value =~ /\A[^@\s]+@[^@\s]+\z/
-      record.errors.add(attribute, :invalid, { value: value }.merge!(options))
+    unless value =~ EMAIL_REGEX
+      record.errors.add(attribute, :invalid, **{ value: value }.merge!(options))
     end
   end
 end

data/app/validators/spree/url_validator.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module Spree
+  class UrlValidator < ActiveModel::EachValidator
+    def validate_each(record, attribute, value)
+      unless url_valid?(value)
+        record.errors.add(attribute, (options[:message] || ERROR_MESSAGE))
+      end
+    end
+    private
+    ERROR_MESSAGE = 'must be a valid URL'
+    private_constant :ERROR_MESSAGE
+    def url_valid?(url)
+      uri = begin
+        URI.parse(url)
+      rescue URI::InvalidURIError
+        return false
+      end
+      uri.host.present? && uri.is_a?(URI::HTTP)
+    end
+  end
+end

data/brakeman.ignore ADDED Viewed

@@ -0,0 +1,328 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "011b2643940ba1112f7a737e403abe3616ad91764703c801cc35a48d36b721da",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 64,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount <= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "Redirect",
+      "warning_code": 18,
+      "fingerprint": "05d3870f66d650510c859a8949d5686b05eb028825083b096d0f65fedf80b118",
+      "check_name": "Redirect",
+      "message": "Possible unprotected redirect",
+      "file": "lib/spree/core/controller_helpers/auth.rb",
+      "line": 25,
+      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
+      "code": "redirect_to((session[\"spree_user_return_to\"] or (request.env[\"HTTP_REFERER\"] or default)))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Core::ControllerHelpers::Auth",
+        "method": "redirect_back_or_default"
+      },
+      "user_input": "request.env[\"HTTP_REFERER\"]",
+      "confidence": "High",
+      "cwe_id": [
+        601
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "1c12fcb833b0ddffa07880acb7e604922c0d1d52de598316186241baf16551cd",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/finders/spree/taxons/find.rb",
+      "line": 75,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "taxons.joins(\"INNER JOIN #{Spree::Taxon.table_name} AS parent_taxon ON parent_taxon.id = #{Spree::Taxon.table_name}.parent_id\").join_translation_table(Taxon, \"parent_taxon\").where([\"#{Taxon.translation_table_alias}.permalink = ?\", parent_permalink])",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Taxons::Find",
+        "method": "by_parent_permalink"
+      },
+      "user_input": "Taxon.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "1f02952550c2f54d044c9577a45e7ba7c7990c8b8a59d1dac83a96790237f507",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 139,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(:properties).join_translation_table(Property).join_translation_table(ProductProperty).where(\"#{ProductProperty.translation_table_alias}.value = ?\", value)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::ProductScopes",
+        "method": null
+      },
+      "user_input": "ProductProperty.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "7928c0813a0bf084ead091b4554ef6abea9ae9c7167936f5c62da9e328b9f736",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 139,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(:properties).join_translation_table(Property).join_translation_table(ProductProperty).where(\"#{ProductProperty.translation_table_alias}.value = ?\", value)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree",
+        "method": null
+      },
+      "user_input": "ProductProperty.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "857c335935a00f584137f31dbcb1a4532af5c8bb5cf53a86058b4af98c6597dc",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "lib/spree/translation_migrations.rb",
+      "line": 21,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"\\n          UPDATE #{resource_class.table_name}\\n          SET #{resource_class.translatable_fields.map do\n \"#{f}=null\"\n end.join(\", \")};\\n                                              \")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslationMigrations",
+        "method": "transfer_translation_data"
+      },
+      "user_input": "resource_class.translatable_fields.map do\n \"#{f}=null\"\n end.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "965d3919f811ab63b7b8d62da528559a7f38dc122c57efea7136e7ec5ef1f062",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 68,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount >= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::ProductScopes",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "98607ecfb86c2d3c2567390f813861edbc42d6ffa9f482afb7c0b3464eaf6e73",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/translatable_resource_scopes.rb",
+      "line": 18,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(\"LEFT OUTER JOIN #{translatable_class::Translation.table_name} #{translatable_class.translation_table_alias}\\n             ON #{translatable_class.translation_table_alias}.#{\"#{translatable_class.table_name.singularize}_id\"} = #{(translatable_class.table_name or join_on_table_alias)}.id\\n             AND #{translatable_class.translation_table_alias}.locale = '#{Mobility.locale}'\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslatableResourceScopes",
+        "method": "join_translation_table"
+      },
+      "user_input": "translatable_class.translation_table_alias",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "abd8e90e7a7dfbcdcd6d44fd3fb550598aee6d7a9ef2bb132ad1a18a3c50be30",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 64,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount <= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::ProductScopes",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "c1c97347a2d74ea41d46519e3bfbd94c511a1bd9c285f3f2a1fa0cb7e624d232",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "lib/spree/translation_migrations.rb",
+      "line": 32,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"\\n          UPDATE #{resource_class.table_name}\\n          SET (#{resource_class.translatable_fields.join(\", \")}) = #{(\"ROW\" or \"\")}(#{resource_class.translatable_fields.map do\n \"#{resource_class::Translation.table_name}.#{f}\"\n end.join(\", \")})\\n          FROM #{resource_class::Translation.table_name}\\n          WHERE #{resource_class::Translation.table_name}.#{\"#{resource_class.table_name.singularize}_id\"} = #{resource_class.table_name}.id\\n                                            \")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslationMigrations",
+        "method": "revert_translation_data_transfer"
+      },
+      "user_input": "resource_class.translatable_fields.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "c2bc48d98076b7c4fc3314c6a85f7bd1132efe5fcc346da4d28df7c25f93633f",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/spree/variant.rb",
+      "line": 126,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(:product).join_translation_table(Product).where(\"LOWER(#{Product.translation_table_alias}.name) LIKE LOWER(:query)\\n               OR LOWER(sku) LIKE LOWER(:query)\", :query => (\"%#{query}%\"))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Variant",
+        "method": "Spree::Variant.product_name_or_sku_cont"
+      },
+      "user_input": "Product.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "ed253ae6b1b4ea3fe3d87d3652380fecab80133319b1ed041d98d163fd16b815",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/finders/spree/taxons/find.rb",
+      "line": 71,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "taxons.joins(:parent).join_translation_table(Taxon, \"parents_spree_taxons\").where([\"#{Taxon.translation_table_alias}.permalink = ?\", parent_permalink])",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Taxons::Find",
+        "method": "by_parent_permalink"
+      },
+      "user_input": "Taxon.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "efcc57e1a5648d7db59d1beaf5e399d2278539a8667b19c520b305a6ca7e15e8",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 68,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount >= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "f14dd62fac0dd1e9d5532dd5efc770e2eb873a8db80faf366b6295378634754a",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "lib/spree/translation_migrations.rb",
+      "line": 16,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"\\n          INSERT INTO #{resource_class::Translation.table_name} (#{resource_class.translatable_fields.join(\", \")}, #{\"#{resource_class.table_name.singularize}_id\"}, locale, created_at, updated_at)\\n          SELECT #{resource_class.translatable_fields.join(\", \")}, id, '#{default_locale}' as locale, created_at, updated_at FROM #{resource_class.table_name};\\n                                              \")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslationMigrations",
+        "method": "transfer_translation_data"
+      },
+      "user_input": "resource_class.translatable_fields.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    }
+  ],
+  "updated": "2023-03-22 20:11:32 +0100",
+  "brakeman_version": "5.4.1"
+}

data/config/initializers/active_storage.rb CHANGED Viewed

@@ -1,5 +1 @@
-class ActiveStorage::PurgeJob < ActiveStorage::BaseJob
-  def perform(blob)
-    blob.purge unless blob.attachments.present?
-  end
-end
+Rails.application.config.active_storage.content_types_to_serve_as_binary.delete('image/svg+xml')

data/config/initializers/friendly_id.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require 'friendly_id/mobility'
 # To learn more, check out the guide:
 # http://norman.github.io/friendly_id/file.Guide.html
 FriendlyId.defaults do |config|

data/config/initializers/inflections.rb ADDED Viewed

@@ -0,0 +1,3 @@
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym 'RMA'
+end

data/config/initializers/mobility.rb ADDED Viewed

@@ -0,0 +1,18 @@
+Mobility.configure do |config|
+  config.plugins do
+    ransack
+    backend :table
+    active_record
+    reader
+    writer
+    backend_reader
+    query
+    cache
+    fallbacks
+    locale_accessors
+    presence
+    dirty
+  end
+  config.defaults[:fallbacks] = true
+end

data/config/initializers/rails61_fixes.rb ADDED Viewed

@@ -0,0 +1,3 @@
+if Rails::VERSION::STRING >= '6.1'
+  ActiveRecord::Base.has_many_inversing = false
+end