spree_core 4.4.0 → 4.6.0

data/app/services/spree/data_feeds/google/required_attributes.rb

@@ -0,0 +1,67 @@
+module Spree
+  module DataFeeds
+    module Google
+      class RequiredAttributes
+        prepend Spree::ServiceModule::Base
+
+        def call(input)
+          information = {}
+
+          return failure(nil, error: 'No image link') if get_image_link(input[:variant], input[:product]).nil?
+
+          information['id'] = input[:variant].id
+          information['title'] = format_title(input[:product], input[:variant])
+          information['description'] = get_description(input[:product], input[:variant])
+          information['link'] = "#{input[:store].url}/#{input[:product].slug}"
+          information['image_link'] = get_image_link(input[:variant], input[:product])
+          information['price'] = format_price(input[:variant])
+          information['availability'] = get_availability(input[:product])
+          information['availability_date'] = input[:product].available_on&.xmlschema unless input[:product].available_on.nil?
+
+          success(information: information)
+        end
+
+        private
+
+        def format_title(product, variant)
+          # Title of a variant is created by joining title of a product and variant's option_values, as they are
+          # what differentiates it from other variants.
+          title = product.name
+          variant.option_values.find_each do |option_value|
+            title << " - #{option_value.name}"
+          end
+          title
+        end
+
+        def get_description(product, variant)
+          return product.description unless product.description.nil?
+
+          format_title(product, variant)
+        end
+
+        def get_image_link(variant, product)
+          # try getting image from variant
+          img = variant.images.first&.plp_url
+
+          # if no image specified for variant try getting product image
+          if img.nil?
+            img = product.images.first&.plp_url
+          end
+
+          img
+        end
+
+        def format_price(variant)
+          "#{variant.price} #{variant.cost_currency}"
+        end
+
+        def get_availability(product)
+          return 'in stock' if product.available? && product.available_on&.past?
+          return 'backorder' if product.backorderable? && product.backordered? && product.available_on&.future?
+
+          'out of stock'
+        end
+      end
+    end
+  end
+end

data/app/services/spree/data_feeds/google/rss.rb

@@ -0,0 +1,107 @@
+require 'nokogiri'
+
+module Spree
+  module DataFeeds
+    module Google
+      class Rss
+        prepend Spree::ServiceModule::Base
+
+        def call(settings)
+          @settings = settings
+
+          return failure(store, error: "Store with id: #{settings.store_id} does not exist.") if store.nil?
+
+          builder = Nokogiri::XML::Builder.new do |xml|
+            xml.rss('xmlns:g' => 'http://base.google.com/ns/1.0', 'version' => '2.0') do
+              xml.channel do
+                add_store_information_to_xml(xml)
+                result = products_list.call(store)
+                if result.success?
+                  result.value[:products].find_each do |product|
+                    product.variants.active.find_each do |variant|
+                      add_variant_information_to_xml(xml, product, variant)
+                    end
+                  end
+                end
+              end
+            end
+          end
+
+          success(file: builder.to_xml)
+        end
+
+        private
+
+        def store
+          return @store if defined? @store
+
+          @store ||= Spree::Store.find_by(id: @settings.store_id)
+        end
+
+        def add_store_information_to_xml(xml)
+          xml.title store.name
+          xml.link store.url
+          xml.description store.meta_description
+        end
+
+        def add_variant_information_to_xml(xml, product, variant)
+          input = { product: product, variant: variant, settings: @settings, store: store }
+          result = required_attributes.call(input)
+
+          if result.success
+            xml.item do
+              result.value[:information]&.each do |key, value|
+                xml['g'].send(key, value)
+              end
+
+              add_optional_information(xml, product, variant)
+              add_optional_sub_attributes(xml, product, variant)
+            end
+          end
+        end
+
+        def add_optional_information(xml, product, variant)
+          input = { product: product, variant: variant, settings: @settings, store: store }
+          result = optional_attributes.call(input)
+          if result.success?
+            information = result.value[:information]
+            information.each do |key, value|
+              xml['g'].send(key, value)
+            end
+          end
+        end
+
+        def add_optional_sub_attributes(xml, product, variant)
+          input = { product: product, variant: variant, settings: @settings, store: store }
+          result = optional_sub_attributes.call(input)
+          if result.success?
+            information = result.value[:information]
+            information.each do |key, value|
+              xml['g'].send(key) do
+                value.each do |subkey, subvalue|
+                  xml['g'].send(subkey, subvalue)
+                end
+              end
+            end
+          end
+        end
+
+        def optional_attributes
+          Spree::Dependencies.data_feeds_google_optional_attributes_service.constantize.new
+        end
+
+        def required_attributes
+          Spree::Dependencies.data_feeds_google_required_attributes_service.constantize.new
+        end
+
+        def optional_sub_attributes
+          Spree::Dependencies.data_feeds_google_optional_sub_attributes_service.constantize.new
+        end
+
+        def products_list
+          Spree::Dependencies.data_feeds_google_products_list.constantize.new
+        end
+      end
+    end
+  end
+end

data/app/services/spree/variants/remove_line_items.rb

@@ -0,0 +1,15 @@
+module Spree
+  module Variants
+    class RemoveLineItems
+      prepend Spree::ServiceModule::Base
+
+      def call(variant:)
+        variant.line_items.joins(:order).where.not(spree_orders: { state: 'complete' }).find_each do |line_item|
+          Spree::Variants::RemoveLineItemJob.perform_later(line_item: line_item)
+        end
+
+        success(true)
+      end
+    end
+  end
+end

data/app/sorters/spree/products/sort.rb

@@ -11,6 +11,8 @@ module Spree
         products = by_price(products)
         products = by_sku(products)
 
+        products = select_translatable_fields(products)
+
         products.distinct
       end
 
@@ -46,6 +48,27 @@ module Spree
       def sort_by?(field)
         sort.detect { |s| s[0] == field }
       end
+
+      # Add translatable fields to SELECT statement to avoid InvalidColumnReference error (workaround for Mobility issue #596)
+      def select_translatable_fields(scope)
+        translatable_fields = translatable_sortable_fields
+        return scope if translatable_fields.empty?
+
+        # if sorting by 'sku' or 'price', spree_products.* is already included in SELECT statement
+        if sort_by?('sku') || sort_by?('price')
+          scope.i18n.select(*translatable_fields)
+        else
+          scope.i18n.select("#{Product.table_name}.*").select(*translatable_fields)
+        end
+      end
+
+      def translatable_sortable_fields
+        fields = []
+        Product.translatable_fields.each do |field|
+          fields << field if sort_by?(field.to_s)
+        end
+        fields
+      end
     end
   end
 end

data/brakeman.ignore

@@ -1,20 +1,328 @@
 {
-    "ignored_warnings": [
-        {
-          "fingerprint": "011b2643940ba1112f7a737e403abe3616ad91764703c801cc35a48d36b721da",
-          "note": "interpolating table name"
-        },
-        {
-          "fingerprint": "965d3919f811ab63b7b8d62da528559a7f38dc122c57efea7136e7ec5ef1f062",
-          "note": "interpolating table name"
-        },
-        {
-          "fingerprint": "abd8e90e7a7dfbcdcd6d44fd3fb550598aee6d7a9ef2bb132ad1a18a3c50be30",
-          "note": "interpolating table name"
-        },
-        {
-          "fingerprint": "efcc57e1a5648d7db59d1beaf5e399d2278539a8667b19c520b305a6ca7e15e8",
-          "note": "interpolating table name"
-        }
-    ]
+  "ignored_warnings": [
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "011b2643940ba1112f7a737e403abe3616ad91764703c801cc35a48d36b721da",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 64,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount <= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "Redirect",
+      "warning_code": 18,
+      "fingerprint": "05d3870f66d650510c859a8949d5686b05eb028825083b096d0f65fedf80b118",
+      "check_name": "Redirect",
+      "message": "Possible unprotected redirect",
+      "file": "lib/spree/core/controller_helpers/auth.rb",
+      "line": 25,
+      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
+      "code": "redirect_to((session[\"spree_user_return_to\"] or (request.env[\"HTTP_REFERER\"] or default)))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Core::ControllerHelpers::Auth",
+        "method": "redirect_back_or_default"
+      },
+      "user_input": "request.env[\"HTTP_REFERER\"]",
+      "confidence": "High",
+      "cwe_id": [
+        601
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "1c12fcb833b0ddffa07880acb7e604922c0d1d52de598316186241baf16551cd",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/finders/spree/taxons/find.rb",
+      "line": 75,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "taxons.joins(\"INNER JOIN #{Spree::Taxon.table_name} AS parent_taxon ON parent_taxon.id = #{Spree::Taxon.table_name}.parent_id\").join_translation_table(Taxon, \"parent_taxon\").where([\"#{Taxon.translation_table_alias}.permalink = ?\", parent_permalink])",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Taxons::Find",
+        "method": "by_parent_permalink"
+      },
+      "user_input": "Taxon.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "1f02952550c2f54d044c9577a45e7ba7c7990c8b8a59d1dac83a96790237f507",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 139,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(:properties).join_translation_table(Property).join_translation_table(ProductProperty).where(\"#{ProductProperty.translation_table_alias}.value = ?\", value)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::ProductScopes",
+        "method": null
+      },
+      "user_input": "ProductProperty.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "7928c0813a0bf084ead091b4554ef6abea9ae9c7167936f5c62da9e328b9f736",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 139,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(:properties).join_translation_table(Property).join_translation_table(ProductProperty).where(\"#{ProductProperty.translation_table_alias}.value = ?\", value)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree",
+        "method": null
+      },
+      "user_input": "ProductProperty.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "857c335935a00f584137f31dbcb1a4532af5c8bb5cf53a86058b4af98c6597dc",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "lib/spree/translation_migrations.rb",
+      "line": 21,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"\\n          UPDATE #{resource_class.table_name}\\n          SET #{resource_class.translatable_fields.map do\n \"#{f}=null\"\n end.join(\", \")};\\n                                              \")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslationMigrations",
+        "method": "transfer_translation_data"
+      },
+      "user_input": "resource_class.translatable_fields.map do\n \"#{f}=null\"\n end.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "965d3919f811ab63b7b8d62da528559a7f38dc122c57efea7136e7ec5ef1f062",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 68,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount >= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::ProductScopes",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "98607ecfb86c2d3c2567390f813861edbc42d6ffa9f482afb7c0b3464eaf6e73",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/translatable_resource_scopes.rb",
+      "line": 18,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(\"LEFT OUTER JOIN #{translatable_class::Translation.table_name} #{translatable_class.translation_table_alias}\\n             ON #{translatable_class.translation_table_alias}.#{\"#{translatable_class.table_name.singularize}_id\"} = #{(translatable_class.table_name or join_on_table_alias)}.id\\n             AND #{translatable_class.translation_table_alias}.locale = '#{Mobility.locale}'\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslatableResourceScopes",
+        "method": "join_translation_table"
+      },
+      "user_input": "translatable_class.translation_table_alias",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "abd8e90e7a7dfbcdcd6d44fd3fb550598aee6d7a9ef2bb132ad1a18a3c50be30",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 64,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount <= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::ProductScopes",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "c1c97347a2d74ea41d46519e3bfbd94c511a1bd9c285f3f2a1fa0cb7e624d232",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "lib/spree/translation_migrations.rb",
+      "line": 32,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"\\n          UPDATE #{resource_class.table_name}\\n          SET (#{resource_class.translatable_fields.join(\", \")}) = #{(\"ROW\" or \"\")}(#{resource_class.translatable_fields.map do\n \"#{resource_class::Translation.table_name}.#{f}\"\n end.join(\", \")})\\n          FROM #{resource_class::Translation.table_name}\\n          WHERE #{resource_class::Translation.table_name}.#{\"#{resource_class.table_name.singularize}_id\"} = #{resource_class.table_name}.id\\n                                            \")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslationMigrations",
+        "method": "revert_translation_data_transfer"
+      },
+      "user_input": "resource_class.translatable_fields.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "c2bc48d98076b7c4fc3314c6a85f7bd1132efe5fcc346da4d28df7c25f93633f",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/spree/variant.rb",
+      "line": 126,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "joins(:product).join_translation_table(Product).where(\"LOWER(#{Product.translation_table_alias}.name) LIKE LOWER(:query)\\n               OR LOWER(sku) LIKE LOWER(:query)\", :query => (\"%#{query}%\"))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Variant",
+        "method": "Spree::Variant.product_name_or_sku_cont"
+      },
+      "user_input": "Product.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "ed253ae6b1b4ea3fe3d87d3652380fecab80133319b1ed041d98d163fd16b815",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/finders/spree/taxons/find.rb",
+      "line": 71,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "taxons.joins(:parent).join_translation_table(Taxon, \"parents_spree_taxons\").where([\"#{Taxon.translation_table_alias}.permalink = ?\", parent_permalink])",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::Taxons::Find",
+        "method": "by_parent_permalink"
+      },
+      "user_input": "Taxon.translation_table_alias",
+      "confidence": "Weak",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "efcc57e1a5648d7db59d1beaf5e399d2278539a8667b19c520b305a6ca7e15e8",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/spree/product_scopes.rb",
+      "line": 68,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"#{price_table_name}.amount >= ?\", price)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree",
+        "method": null
+      },
+      "user_input": "price_table_name",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "interpolating table name"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "f14dd62fac0dd1e9d5532dd5efc770e2eb873a8db80faf366b6295378634754a",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "lib/spree/translation_migrations.rb",
+      "line": 16,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "ActiveRecord::Base.connection.execute(\"\\n          INSERT INTO #{resource_class::Translation.table_name} (#{resource_class.translatable_fields.join(\", \")}, #{\"#{resource_class.table_name.singularize}_id\"}, locale, created_at, updated_at)\\n          SELECT #{resource_class.translatable_fields.join(\", \")}, id, '#{default_locale}' as locale, created_at, updated_at FROM #{resource_class.table_name};\\n                                              \")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Spree::TranslationMigrations",
+        "method": "transfer_translation_data"
+      },
+      "user_input": "resource_class.translatable_fields.join(\", \")",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": ""
+    }
+  ],
+  "updated": "2023-03-22 20:11:32 +0100",
+  "brakeman_version": "5.4.1"
 }

data/config/initializers/friendly_id.rb

@@ -1,3 +1,5 @@
+require 'friendly_id/mobility'
+
 # To learn more, check out the guide:
 # http://norman.github.io/friendly_id/file.Guide.html
 FriendlyId.defaults do |config|

data/config/initializers/mobility.rb

@@ -0,0 +1,18 @@
+Mobility.configure do |config|
+  config.plugins do
+    ransack
+    backend :table
+    active_record
+    reader
+    writer
+    backend_reader
+    query
+    cache
+    fallbacks
+    locale_accessors
+    presence
+    dirty
+  end
+
+  config.defaults[:fallbacks] = true
+end

data/config/locales/en.yml

@@ -91,6 +91,7 @@ en:
         name: Name
       spree/product:
         available_on: Available On
+        make_active_at: Make Active At
         discontinue_on: Discontinue On
         cost_currency: Cost Currency
         cost_price: Cost Price
@@ -360,7 +361,7 @@ en:
             discontinue_on:
               invalid_date_range: must be later than available date
             base:
-              cannot_destroy_if_attached_to_line_items: Cannot delete products once they are attached to line items.
+              cannot_destroy_if_attached_to_line_items: Cannot delete Products that are added to placed Orders. In such cases, please discontinue them.
         spree/refund:
           attributes:
             amount:
@@ -397,7 +398,7 @@ en:
         spree/variant:
           attributes:
             base:
-              cannot_destroy_if_attached_to_line_items: Cannot delete variants once they are attached to line items.
+              cannot_destroy_if_attached_to_line_items: Cannot delete Variants that are added to placed Orders. In such cases, please discontinue them.
               no_master_variant_found_to_infer_price: No master variant found to infer price
               must_supply_price_for_variant_or_master: Must supply price for variant or master price for product.
         spree/image:
@@ -583,6 +584,7 @@ en:
     auto_capture: Auto Capture
     availability: availability
     available_on: Available On
+    make_active_at: Make Active At
     available: Available
     average_order_value: Average Order Value
     avs_response: AVS Response
@@ -1110,6 +1112,7 @@ en:
     notice_messages:
       icon_removed: Image has been successfully removed
       prices_saved: Prices successfully saved
+      translations_saved: Translations successfully saved
       product_cloned: Product has been cloned
       product_deleted: Product has been deleted
       product_not_cloned: "Product could not be cloned. Reason: %{error}"
@@ -1120,6 +1123,7 @@ en:
     number: Number
     ok: OK
     on_hand: On Hand
+    only_active_products_can_be_added_to_cart: Draft and archived products cannot be added to cart, please mark the product as active before.
     open: Open
     open_all_adjustments: Open All Adjustments
     option_type: Option Type