spree_core 5.0.6 → 5.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/models/spree/ability.rb +2 -1
- data/app/services/spree/checkout/update.rb +24 -0
- data/config/locales/en.yml +1 -0
- data/lib/spree/core/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c87f4abd941d499270077f37fb1f2e7d3905796e81bdebba35cb20f66349cdb0
|
|
4
|
+
data.tar.gz: 33286e4357f7051a22ef1bfe56dcd1292f1931beb0cff4bb02396db79568b85f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f8dd54b9b45f81dac694b61c8fc6520c9a26c4b995637413dc195552e8e5931ac57c236af3a4f5ccf3100fdf18ac97a84eecbb2b261dd250a7452572ae2fbd9a
|
|
7
|
+
data.tar.gz: 9db37625c009f49a5d1e4a6c5d7207f9a4dda570f3f33fd01abdb2117972138a247b2cc0ff37b4f9350b3d3e863d82103fd864eeb672190baba6de05d3e58c1d
|
data/app/models/spree/ability.rb
CHANGED
|
@@ -75,7 +75,8 @@ module Spree
|
|
|
75
75
|
can :update, ::Spree::Order do |order, token|
|
|
76
76
|
!order.completed? && (order.user == user || order.token && token == order.token)
|
|
77
77
|
end
|
|
78
|
-
|
|
78
|
+
# Address management - only for persisted users with matching user_id
|
|
79
|
+
can :manage, ::Spree::Address, user_id: user.id if user.persisted?
|
|
79
80
|
can [:read, :destroy], ::Spree::CreditCard, user_id: user.id
|
|
80
81
|
can :read, ::Spree::Product
|
|
81
82
|
can :read, ::Spree::ProductProperty
|
|
@@ -5,6 +5,10 @@ module Spree
|
|
|
5
5
|
include Spree::Addresses::Helper
|
|
6
6
|
|
|
7
7
|
def call(order:, params:, permitted_attributes:, request_env:)
|
|
8
|
+
# Validate address ownership to prevent IDOR attacks
|
|
9
|
+
address_ownership_error = validate_address_ownership(order, params)
|
|
10
|
+
return failure(order, address_ownership_error) if address_ownership_error
|
|
11
|
+
|
|
8
12
|
ship_changed = address_with_country_iso_present?(params, 'ship')
|
|
9
13
|
bill_changed = address_with_country_iso_present?(params, 'bill')
|
|
10
14
|
params[:order][:ship_address_attributes] = replace_country_iso_with_id(params[:order][:ship_address_attributes]) if ship_changed
|
|
@@ -26,6 +30,26 @@ module Spree
|
|
|
26
30
|
|
|
27
31
|
private
|
|
28
32
|
|
|
33
|
+
def validate_address_ownership(order, params)
|
|
34
|
+
return nil unless params[:order]
|
|
35
|
+
|
|
36
|
+
%w[bill ship].each do |address_kind|
|
|
37
|
+
address_id = params[:order].dig("#{address_kind}_address_attributes".to_sym, :id)
|
|
38
|
+
next unless address_id
|
|
39
|
+
|
|
40
|
+
address = Spree::Address.find_by(id: address_id)
|
|
41
|
+
next unless address
|
|
42
|
+
|
|
43
|
+
# Allow if address has no user (guest address) or belongs to the order's user
|
|
44
|
+
next if address.user_id.nil?
|
|
45
|
+
next if order.user_id.present? && address.user_id == order.user_id
|
|
46
|
+
|
|
47
|
+
return Spree.t(:address_not_owned_by_user)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
nil
|
|
51
|
+
end
|
|
52
|
+
|
|
29
53
|
def address_with_country_iso_present?(params, address_kind = 'ship')
|
|
30
54
|
return false unless params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_iso)
|
|
31
55
|
return false if params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_id)
|
data/config/locales/en.yml
CHANGED
|
@@ -608,6 +608,7 @@ en:
|
|
|
608
608
|
successfully_updated: Updated successfully
|
|
609
609
|
unsuccessfully_saved: There was an error while trying to save your address.
|
|
610
610
|
unsuccessfully_updated: There was an update while trying to update your address.
|
|
611
|
+
address_not_owned_by_user: The specified address does not belong to this user.
|
|
611
612
|
addresses: Addresses
|
|
612
613
|
adjustable: Adjustable
|
|
613
614
|
adjustment: Adjustment
|
data/lib/spree/core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spree_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.0.
|
|
4
|
+
version: 5.0.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sean Schofield
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2026-01-08 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: i18n-tasks
|
|
@@ -1312,9 +1312,9 @@ licenses:
|
|
|
1312
1312
|
- BSD-3-Clause
|
|
1313
1313
|
metadata:
|
|
1314
1314
|
bug_tracker_uri: https://github.com/spree/spree/issues
|
|
1315
|
-
changelog_uri: https://github.com/spree/spree/releases/tag/v5.0.
|
|
1315
|
+
changelog_uri: https://github.com/spree/spree/releases/tag/v5.0.7
|
|
1316
1316
|
documentation_uri: https://docs.spreecommerce.org/
|
|
1317
|
-
source_code_uri: https://github.com/spree/spree/tree/v5.0.
|
|
1317
|
+
source_code_uri: https://github.com/spree/spree/tree/v5.0.7
|
|
1318
1318
|
post_install_message:
|
|
1319
1319
|
rdoc_options: []
|
|
1320
1320
|
require_paths:
|