spree_core 5.2.3 → 5.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92beba989ce9cb710594c81743585143d23519b30406146a6fd0c17d792ab4a3
-  data.tar.gz: 7389b6c100d69785017e5924ef6d600cc3d266b0c022da4b35f002cfb54d7872
+  metadata.gz: 2d349836816cd2c1ec5919e21868926cd4eec24cb0c38c33cb744b37a9402dc9
+  data.tar.gz: 8072164578532d141040fe3aab664d91cb00c2c8571c3b9a043cd4ccb23f1aa1
 SHA512:
-  metadata.gz: 92d2afee02b65b1ebcd35092eea9d57af361881100d9d43402a9956b8bb10091a2b444b102634b1a4d278ea6f4e8ae10ca7107654f58841908c4732d21bf1b2b
-  data.tar.gz: 4dc73e2e8654d3c0ee10bb6aa06d5507ef747b297cf5e2a96c78b38a6a5d3e8f36ec582531be5741cedd5a5402173342e8b7c9d47951cf816431e6be0916b67f
+  metadata.gz: 4ad9ed9392d8cb3b34cf3fa0c294dca288fe2c5162ed20c84616ef82c71e2368ea7debb5264208b26703df22640cb612e4deadb98882dcd872f8622197b8d0e5
+  data.tar.gz: a6cd8afa6b70d0fc758758c9555ab24da37800c7905220b7d5f0251bf19fa06f87d03315aba858476eb181705c32ba6d80fba4e387f419f892f7b1ec16631aac

data/app/models/spree/ability.rb

@@ -143,7 +143,8 @@ module Spree
       can :update, ::Spree::Order do |order, token|
         !order.completed? && (order.user == user || order.token && token == order.token)
       end
-      can :manage, ::Spree::Address, user_id: user.id
+      # Address management - only for persisted users with matching user_id
+      can :manage, ::Spree::Address, user_id: user.id if user.persisted?
       can [:read, :destroy], ::Spree::CreditCard, user_id: user.id
       can :read, ::Spree::Product
       can :read, ::Spree::ProductProperty

data/app/models/spree/permission_sets/default_customer.rb

@@ -43,8 +43,8 @@ module Spree
         can :create, Spree.user_class
         can [:show, :update, :destroy], Spree.user_class, id: user.id
 
-        # Address management
-        can :manage, Spree::Address, user_id: user.id
+        # Address management - only for persisted users with matching user_id
+        can :manage, Spree::Address, user_id: user.id if user.persisted?
 
         # Credit card management
         can [:read, :destroy], Spree::CreditCard, user_id: user.id

data/app/models/spree/product.rb

@@ -204,10 +204,12 @@ module Spree
                          }
 
     scope :by_best_selling, lambda { |order_direction = :desc|
-      left_joins(:orders).
-        select("#{Spree::Product.table_name}.*, COUNT(#{Spree::Order.table_name}.id) AS completed_orders_count, SUM(#{Spree::Order.table_name}.total) AS completed_orders_total").
-        where(Spree::Order.table_name => { id: nil }).
-        or(where.not(Spree::Order.table_name => { completed_at: nil })).
+      left_joins(variants_including_master: { line_items: :order }).
+        select(
+          "#{Spree::Product.table_name}.*",
+          "COUNT(DISTINCT CASE WHEN #{Spree::Order.table_name}.completed_at IS NOT NULL THEN #{Spree::Order.table_name}.id END) AS completed_orders_count",
+          "COALESCE(SUM(CASE WHEN #{Spree::Order.table_name}.completed_at IS NOT NULL THEN (#{Spree::LineItem.table_name}.price * #{Spree::LineItem.table_name}.quantity) END), 0) AS completed_orders_total"
+        ).
         group("#{Spree::Product.table_name}.id").
         order(completed_orders_count: order_direction, completed_orders_total: order_direction)
     }

data/app/services/spree/checkout/update.rb

@@ -5,6 +5,10 @@ module Spree
       include Spree::Addresses::Helper
 
       def call(order:, params:, permitted_attributes:, request_env:)
+        # Validate address ownership to prevent IDOR attacks
+        address_ownership_error = validate_address_ownership(order, params)
+        return failure(order, address_ownership_error) if address_ownership_error
+
         ship_changed = address_with_country_iso_present?(params, 'ship')
         bill_changed = address_with_country_iso_present?(params, 'bill')
         params[:order][:ship_address_attributes] = replace_country_iso_with_id(params[:order][:ship_address_attributes]) if ship_changed
@@ -26,6 +30,26 @@ module Spree
 
       private
 
+      def validate_address_ownership(order, params)
+        return nil unless params[:order]
+
+        %w[bill ship].each do |address_kind|
+          address_id = params[:order].dig("#{address_kind}_address_attributes".to_sym, :id)
+          next unless address_id
+
+          address = Spree::Address.find_by(id: address_id)
+          next unless address
+
+          # Allow if address has no user (guest address) or belongs to the order's user
+          next if address.user_id.nil?
+          next if order.user_id.present? && address.user_id == order.user_id
+
+          return Spree.t(:address_not_owned_by_user)
+        end
+
+        nil
+      end
+
       def address_with_country_iso_present?(params, address_kind = 'ship')
         return false unless params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_iso)
         return false if params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_id)

data/config/locales/en.yml

@@ -667,6 +667,7 @@ en:
       successfully_updated: Updated successfully
       unsuccessfully_saved: There was an error while trying to save your address.
       unsuccessfully_updated: There was an update while trying to update your address.
+    address_not_owned_by_user: The specified address does not belong to this user.
     address_settings: Address settings
     addresses: Addresses
     adjustable: Adjustable

data/lib/spree/core/version.rb

@@ -1,5 +1,5 @@
 module Spree
-  VERSION = '5.2.3'.freeze
+  VERSION = '5.2.5'.freeze
 
   def self.version
     VERSION

data/spec/fixtures/files/example.json

@@ -0,0 +1,4 @@
+{
+  "id": 1,
+  "name": "Example"
+}

data/spec/fixtures/files/products_import.csv

@@ -0,0 +1,18 @@
+slug,sku,name,status,vendor_name,brand_name,description,meta_title,meta_description,meta_keywords,tags,labels,price,compare_at_price,currency,width,height,depth,dimensions_unit,weight,weight_unit,available_on,discontinue_on,track_inventory,inventory_count,inventory_backorderable,tax_category,digital,image1_src,image2_src,image3_src,option1_name,option1_value,option2_name,option2_value,option3_name,option3_value,category1,category2,category3,metafield.properties.fit,metafield.properties.manufacturer,metafield.properties.material,metafield.custom.brand,metafield.custom.material
+denim-shirt,"",Denim Shirt,draft,,,Adipisci sapiente velit nihil ullam. Placeat cumque ipsa cupiditate velit magni sapiente mollitia dolorum. Veritatis esse illo eos perferendis. Perspiciatis vel iusto odio eveniet quam officia quidem. Fugiat a ipsum tempore optio accusantium autem in fugit.,,,,"","",0.0,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Default,false,,,,,,,,,,Categories -> Men -> Shirts,Categories -> Women,Categories -> Sportswear,Lose,Wannabe,90% Cotton 10% Elastan,,
+denim-shirt,DENIM-SHIRT-XS-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Blue,Size,XS,,,,,
+denim-shirt,DENIM-SHIRT-S-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Blue,Size,S,,,,,
+denim-shirt,DENIM-SHIRT-M-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Blue,Size,M,,,,,
+denim-shirt,DENIM-SHIRT-L-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Blue,Size,L,,,,,
+denim-shirt,DENIM-SHIRT-XL-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Blue,Size,XL,,,,,
+denim-shirt,DENIM-SHIRT-XS-LIGHT-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Light Blue,Size,XS,,,,,
+denim-shirt,DENIM-SHIRT-S-LIGHT-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Light Blue,Size,S,,,,,
+denim-shirt,DENIM-SHIRT-M-LIGHT-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Light Blue,Size,M,,,,,
+denim-shirt,DENIM-SHIRT-L-LIGHT-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Light Blue,Size,L,,,,,
+denim-shirt,DENIM-SHIRT-XL-LIGHT-BLUE,,,,,,,,,,,62.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:53,,true,100,true,Clothing,false,,,,Color,Light Blue,Size,XL,,,,,
+checked-shirt,"",Checked Shirt,draft,,,Et ipsam repudiandae itaque tenetur laborum. Cupiditate nulla blanditiis quia tenetur doloremque possimus explicabo asperiores. Facere adipisci veniam aut nemo magnam.,,,,"","",0.0,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:54,,true,100,true,Default,false,,,,,,,,,,Categories -> Men -> Shirts,Categories -> Women,Categories -> Sportswear,Lose,Wannabe,10% Cotton 90% Elastan,,
+checked-shirt,CHECKED-SHIRT-XS-RED,,,,,,,,,,,22.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:54,,true,100,true,Clothing,false,,,,Color,Red,Size,XS,,,,,
+checked-shirt,CHECKED-SHIRT-S-RED,,,,,,,,,,,22.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:54,,true,100,true,Clothing,false,,,,Color,Red,Size,S,,,,,
+checked-shirt,CHECKED-SHIRT-M-RED,,,,,,,,,,,22.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:54,,true,100,true,Clothing,false,,,,Color,Red,Size,M,,,,,
+checked-shirt,CHECKED-SHIRT-L-RED,,,,,,,,,,,22.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:54,,true,100,true,Clothing,false,,,,Color,Red,Size,L,,,,,
+checked-shirt,CHECKED-SHIRT-XL-RED,,,,,,,,,,,22.99,0.0,USD,,,,,0.0,lb,2025-10-09 14:35:54,,true,100,true,Clothing,false,,,,Color,Red,Size,XL,,,,,

data/spec/fixtures/text-file.txt

@@ -0,0 +1 @@
+Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_core
 version: !ruby/object:Gem::Version
-  version: 5.2.3
+  version: 5.2.5
 platform: ruby
 authors:
 - Sean Schofield
@@ -273,6 +273,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: paranoia
   requirement: !ruby/object:Gem::Requirement
@@ -1669,6 +1683,15 @@ files:
 - lib/tasks/core.rake
 - lib/tasks/dependencies.rake
 - lib/tasks/exchanges.rake
+- spec/fixtures/favicon.ico
+- spec/fixtures/files/example.json
+- spec/fixtures/files/icon_256x256.gif
+- spec/fixtures/files/icon_256x256.png
+- spec/fixtures/files/icon_512x512.png
+- spec/fixtures/files/img_256x128.png
+- spec/fixtures/files/products_import.csv
+- spec/fixtures/text-file.txt
+- spec/fixtures/thinking-cat.jpg
 - vendor/javascript/@rails--request.js.js
 - vendor/javascript/@stimulus-components--auto-submit.js
 - vendor/javascript/stimulus-reveal-controller.js
@@ -1680,9 +1703,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.2.3
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.2.5
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.2.3
+  source_code_uri: https://github.com/spree/spree/tree/v5.2.5
 rdoc_options: []
 require_paths:
 - lib
@@ -1697,7 +1720,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.23
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.2
 specification_version: 4
 summary: The bare bones necessary for Spree
 test_files: []