spree_core 5.4.0.beta3 → 5.4.0.beta5

data/app/models/spree/store.rb

@@ -1,15 +1,16 @@
+# frozen_string_literal: true
+
 require 'uri'
 
 module Spree
   class Store < Spree.base_class
-    has_prefix_id :store  # Spree-specific: store
+    has_prefix_id :store # Spree-specific: store
 
     include FriendlyId
     include Spree::TranslatableResource
     include Spree::Metafields
     include Spree::Metadata
     include Spree::Stores::Setup
-    include Spree::Stores::Socials
     include Spree::Stores::Markets
     include Spree::Security::Stores if defined?(Spree::Security::Stores)
     include Spree::UserManagement
@@ -23,8 +24,7 @@ module Spree
     #
     # Translations
     #
-    TRANSLATABLE_FIELDS = %i[name meta_description meta_keywords seo_title facebook
-                             twitter instagram customer_support_email
+    TRANSLATABLE_FIELDS = %i[name meta_description meta_keywords seo_title customer_support_email
                              address contact_phone].freeze
     translates(*TRANSLATABLE_FIELDS, column_fallback: !Spree.always_use_translations?)
     self::Translation.class_eval do
@@ -43,9 +43,6 @@ module Spree
     preference :unit_system, :string, default: 'imperial'
     # email preferences
     preference :send_consumer_transactional_emails, :boolean, default: true
-    # SEO preferences
-    preference :index_in_search_engines, :boolean, default: false
-    preference :password_protected, :boolean, default: false
     # Checkout preferences
     preference :guest_checkout, :boolean, default: true
     preference :special_instructions_enabled, :boolean, default: false
@@ -86,6 +83,7 @@ module Spree
 
     has_many :taxonomies, class_name: 'Spree::Taxonomy'
     has_many :taxons, through: :taxonomies, class_name: 'Spree::Taxon'
+    has_many :categories, through: :taxonomies, class_name: 'Spree::Category', source: :taxons
 
     has_many :store_promotions, class_name: 'Spree::StorePromotion'
     has_many :promotions, through: :store_promotions, class_name: 'Spree::Promotion'
@@ -111,21 +109,6 @@ module Spree
 
     has_many :api_keys, class_name: 'Spree::ApiKey', dependent: :destroy
 
-
-    #
-    # ActionText
-    #
-    has_rich_text :checkout_message
-    has_rich_text :customer_terms_of_service
-    has_rich_text :customer_privacy_policy
-    has_rich_text :customer_returns_policy
-    has_rich_text :customer_shipping_policy
-
-    #
-    # Virtual attributes
-    #
-    store_accessor :private_metadata, :storefront_password
-
     #
     # Validations
     #
@@ -137,19 +120,17 @@ module Spree
     validates :mail_from_address, email: { allow_blank: false }
     # FIXME: we should remove this condition in v5
     if !ENV['SPREE_DISABLE_DB_CONNECTION'] &&
-        connected? &&
-        table_exists? &&
-        connection.column_exists?(:spree_stores, :new_order_notifications_email)
+       connected? &&
+       table_exists? &&
+       connection.column_exists?(:spree_stores, :new_order_notifications_email)
       validates :new_order_notifications_email, email: { allow_blank: true }
     end
-    validates :favicon_image, :social_image, :mailer_logo, content_type: Rails.application.config.active_storage.web_image_content_types
+    validates :mailer_logo, content_type: Rails.application.config.active_storage.web_image_content_types
 
     #
     # Attachments
     #
     has_one_attached :logo, service: Spree.public_storage_service_name
-    has_one_attached :favicon_image, service: Spree.public_storage_service_name
-    has_one_attached :social_image, service: Spree.public_storage_service_name
     has_one_attached :mailer_logo, service: Spree.public_storage_service_name
 
     #
@@ -157,8 +138,6 @@ module Spree
     before_validation :set_default_code, on: :create
     before_save :ensure_default_exists_and_is_unique
     after_create :ensure_default_market
-    after_create :ensure_default_taxonomies_are_created
-    after_create :ensure_default_automatic_taxons
     after_create :create_default_policies
 
     #
@@ -233,16 +212,6 @@ module Spree
       @default_country_for_market = country
     end
 
-    def seo_meta_description
-      if meta_description.present?
-        meta_description
-      elsif seo_title.present?
-        seo_title
-      else
-        name
-      end
-    end
-
     def unique_name
       @unique_name ||= "#{name} (#{code})"
     end
@@ -312,18 +281,18 @@ module Spree
     # @return [ActiveRecord::Relation<Spree::Country>]
     def countries_with_shipping_coverage
       zone_ids = Spree::Zone
-        .joins(:shipping_methods)
-        .select(:id)
+                 .joins(:shipping_methods)
+                 .select(:id)
 
       country_zone_country_ids = Spree::ZoneMember
-        .where(zone_id: zone_ids, zoneable_type: 'Spree::Country')
-        .select(:zoneable_id)
+                                 .where(zone_id: zone_ids, zoneable_type: 'Spree::Country')
+                                 .select(:zoneable_id)
 
       state_zone_country_ids = Spree::State
-        .where(id: Spree::ZoneMember
-          .where(zone_id: zone_ids, zoneable_type: 'Spree::State')
-          .select(:zoneable_id))
-        .select(:country_id)
+                               .where(id: Spree::ZoneMember
+                                          .where(zone_id: zone_ids, zoneable_type: 'Spree::State')
+                                          .select(:zoneable_id))
+                               .select(:country_id)
 
       Spree::Country
         .where(id: country_zone_country_ids)
@@ -337,7 +306,8 @@ module Spree
       @default_stock_location ||= begin
         stock_location_scope = Spree::StockLocation.where(default: true)
         stock_location_scope.first || ActiveRecord::Base.connected_to(role: :writing) do
-          stock_location_scope.create(default: true, name: Spree.t(:default_stock_location_name), country: default_country)
+          stock_location_scope.create(default: true, name: Spree.t(:default_stock_location_name),
+                                      country: default_country)
         end
       end
     end
@@ -348,12 +318,6 @@ module Spree
       users
     end
 
-    def favicon
-      return unless favicon_image.attached? && favicon_image.variable?
-
-      favicon_image.variant(resize_to_limit: [32, 32])
-    end
-
     def metric_unit_system?
       preferred_unit_system == 'metric'
     end
@@ -366,14 +330,6 @@ module Spree
       @digital_shipping_category ||= ShippingCategory.find_or_create_by(name: 'Digital')
     end
 
-    %w[customer_terms_of_service customer_privacy_policy customer_returns_policy customer_shipping_policy].each do |policy_method|
-      define_method policy_method do
-        Spree::Deprecation.warn("Store##{policy_method} is deprecated and will be removed in Spree 5.5. Please use Store#policies instead.")
-
-        ActionText::RichText.find_by(name: policy_method, record: self)
-      end
-    end
-
     private
 
     def ensure_default_market
@@ -395,7 +351,25 @@ module Spree
       end
     end
 
+    def create_default_policies
+      Spree::Events.disable do
+        [
+          translate_with_store_locale_fallback('spree.terms_of_service'),
+          translate_with_store_locale_fallback('spree.privacy_policy'),
+          translate_with_store_locale_fallback('spree.returns_policy'),
+          translate_with_store_locale_fallback('spree.shipping_policy')
+        ].each do |policy_name|
+          # Manual exists?/create to work around Mobility bug with find_or_create_by
+          next if policies.with_matching_name(policy_name).exists?
+
+          policies.create(name: policy_name)
+        end
+      end
+    end
+
     def ensure_default_taxonomies_are_created
+      Spree::Deprecation.warn('Store#ensure_default_taxonomies_are_created is deprecated and will be removed in Spree 5.5. Please remove it from your codebase')
+
       Spree::Events.disable do
         [
           translate_with_store_locale_fallback('spree.taxonomy_categories_name'),
@@ -411,13 +385,16 @@ module Spree
     end
 
     def ensure_default_automatic_taxons
+      Spree::Deprecation.warn('Store#ensure_default_automatic_taxons is deprecated and will be removed in Spree 5.5. Please remove it from your codebase')
+
       Spree::Events.disable do
         # Use Mobility-safe lookup for taxonomy
         collections_taxonomy = taxonomies.with_matching_name(translate_with_store_locale_fallback('spree.taxonomy_collections_name')).first
         return unless collections_taxonomy.present?
 
         automatic_taxons_config = [
-          { name: translate_with_store_locale_fallback('spree.automatic_taxon_names.on_sale'), rule_type: 'Spree::TaxonRules::Sale', rule_value: 'true' },
+          { name: translate_with_store_locale_fallback('spree.automatic_taxon_names.on_sale'),
+            rule_type: 'Spree::TaxonRules::Sale', rule_value: 'true' },
           { name: translate_with_store_locale_fallback('spree.automatic_taxon_names.new_arrivals'), rule_type: 'Spree::TaxonRules::AvailableOn', rule_value: 30 }
         ]
 
@@ -439,22 +416,6 @@ module Spree
       end
     end
 
-    def create_default_policies
-      Spree::Events.disable do
-        [
-          translate_with_store_locale_fallback('spree.terms_of_service'),
-          translate_with_store_locale_fallback('spree.privacy_policy'),
-          translate_with_store_locale_fallback('spree.returns_policy'),
-          translate_with_store_locale_fallback('spree.shipping_policy')
-        ].each do |policy_name|
-          # Manual exists?/create to work around Mobility bug with find_or_create_by
-          next if policies.with_matching_name(policy_name).exists?
-
-          policies.create(name: policy_name)
-        end
-      end
-    end
-
     # Translates a key using the store's default locale with fallback to :en
     def translate_with_store_locale_fallback(key)
       locale = default_locale.presence&.to_sym || :en

data/app/models/spree/taxon.rb

@@ -1,20 +1,22 @@
+# frozen_string_literal: true
+
 require 'stringex'
 
 module Spree
   class Taxon < Spree.base_class
-    has_prefix_id :txn  # Spree-specific: taxon
+    has_prefix_id :ctg
 
     RULES_MATCH_POLICIES = %w[all any].freeze
-    SORT_ORDERS = %w[
-      manual
-      best-selling
-      name-a-z
-      name-z-a
-      price-high-to-low
-      price-low-to-high
-      newest-first
-      oldest-first
-    ]
+    SORT_ORDERS = [
+      'manual',
+      'best_selling',
+      'price asc',
+      'price desc',
+      'available_on desc',
+      'available_on asc',
+      'name asc',
+      'name desc'
+    ].freeze
 
     include Spree::TranslatableResource
     include Spree::TranslatableResourceSlug
@@ -54,9 +56,9 @@ module Spree
     #
     # Validations
     #
-    validates :name, presence: true, uniqueness: { scope: [:parent_id, :taxonomy_id], case_sensitive: false }
+    validates :name, presence: true, uniqueness: { scope: %i[parent_id taxonomy_id], case_sensitive: false }
     validates :taxonomy, presence: true
-    validates :permalink, uniqueness: { case_sensitive: false, scope: [:parent_id, :taxonomy_id] }
+    validates :permalink, uniqueness: { case_sensitive: false, scope: %i[parent_id taxonomy_id] }
     validates :hide_from_nav, inclusion: { in: [true, false] }
     validate :check_for_root, on: :create
     validate :parent_belongs_to_same_taxonomy
@@ -88,9 +90,9 @@ module Spree
     scope :for_stores, ->(stores) { joins(:taxonomy).where(spree_taxonomies: { store_id: stores.ids }) }
     scope :for_taxonomy, lambda { |taxonomy_name|
       if Spree.use_translations?
-        joins(:taxonomy).
-          join_translation_table(Taxonomy).
-          where(
+        joins(:taxonomy)
+          .join_translation_table(Taxonomy)
+          .where(
             Taxonomy.arel_table_alias[:name].lower.matches(taxonomy_name.downcase.strip)
           )
       else
@@ -110,7 +112,7 @@ module Spree
       end
     end
 
-    scope :with_matching_name, ->(name_to_match) do
+    scope :with_matching_name, lambda { |name_to_match|
       value = name_to_match.to_s.strip.downcase
 
       if Spree.use_translations?
@@ -118,13 +120,14 @@ module Spree
       else
         where(arel_table[:name].lower.eq(value))
       end
-    end
+    }
 
     #
     #  Ransack
     #
-    self.whitelisted_ransackable_associations = %w[taxonomy]
-    self.whitelisted_ransackable_attributes = %w[name permalink automatic]
+    self.whitelisted_ransackable_associations = %w[taxonomy parent]
+    self.whitelisted_ransackable_attributes = %w[name permalink automatic depth is_root children_count
+                                                 classification_count hide_from_nav parent_id]
 
     #
     # Translations
@@ -142,7 +145,9 @@ module Spree
     validates :sort_order, inclusion: { in: SORT_ORDERS }, presence: true
 
     has_many :taxon_rules, class_name: 'Spree::TaxonRule', dependent: :destroy
-    accepts_nested_attributes_for :taxon_rules, allow_destroy: true, reject_if: proc { |attributes| attributes['value'].blank? }
+    accepts_nested_attributes_for :taxon_rules, allow_destroy: true, reject_if: proc { |attributes|
+      attributes['value'].blank?
+    }
     alias rules taxon_rules
 
     scope :manual, -> { where.not(automatic: true) }
@@ -160,14 +165,14 @@ module Spree
     end
 
     def active_products_with_descendants
-      @active_products_with_descendants ||= store.products.
-                                            joins(:classifications).
-                                            active.
-                                            where(
-                                              Spree::Classification.table_name => {
-                                                taxon_id: descendants.ids + [id]
-                                              }
-                                            )
+      @active_products_with_descendants ||= store.products
+                                                 .joins(:classifications)
+                                                 .active
+                                                 .where(
+                                                   Spree::Classification.table_name => {
+                                                     taxon_id: descendants.ids + [id]
+                                                   }
+                                                 )
     end
 
     def products_matching_rules(opts = {})
@@ -209,10 +214,10 @@ module Spree
     # so we can later use them for product filtering and so on
     # if we want to fire the service once during object lifecycle - pass only_once: true
     def regenerate_taxon_products(only_once: false)
-      if marked_for_regenerate_taxon_products?
-        Spree::Taxons::RegenerateProducts.call(taxon: self)
-        self.marked_for_regenerate_taxon_products = false if !frozen? && only_once
-      end
+      return unless marked_for_regenerate_taxon_products?
+
+      Spree::Taxons::RegenerateProducts.call(taxon: self)
+      self.marked_for_regenerate_taxon_products = false if !frozen? && only_once
     end
 
     def slug
@@ -283,7 +288,8 @@ module Spree
       end
 
       def generate_permalink_including_parent
-        [parent_permalink_with_fallback, (permalink.blank? ? name_with_fallback.to_url : permalink.split('/').last.to_url)].join('/')
+        [parent_permalink_with_fallback,
+         (permalink.blank? ? name_with_fallback.to_url : permalink.split('/').last.to_url)].join('/')
       end
 
       def generate_pretty_name_including_parent
@@ -384,11 +390,10 @@ module Spree
     end
 
     def sync_taxonomy_name
-      if saved_changes.key?(:name) && root?
-        return if taxonomy.name.to_s == name.to_s
+      return unless saved_changes.key?(:name) && root?
+      return if taxonomy.name.to_s == name.to_s
 
-        taxonomy.update(name: name)
-      end
+      taxonomy.update(name: name)
     end
 
     def touch_ancestors_and_taxonomy
@@ -399,15 +404,15 @@ module Spree
     end
 
     def check_for_root
-      if taxonomy.try(:root).present? && parent_id.nil?
-        errors.add(:root_conflict, 'this taxonomy already has a root taxon')
-      end
+      return unless taxonomy.try(:root).present? && parent_id.nil?
+
+      errors.add(:root_conflict, 'this taxonomy already has a root taxon')
     end
 
     def parent_belongs_to_same_taxonomy
-      if parent.present? && parent.taxonomy_id != taxonomy_id
-        errors.add(:parent, 'must belong to the same taxonomy')
-      end
+      return unless parent.present? && parent.taxonomy_id != taxonomy_id
+
+      errors.add(:parent, 'must belong to the same taxonomy')
     end
 
     def copy_taxonomy_from_parent

data/app/models/spree/variant.rb

@@ -103,7 +103,7 @@ module Spree
     scope :not_discontinued, lambda {
       where(
         arel_table[:discontinue_on].eq(nil).or(
-          arel_table[:discontinue_on].gteq(Time.current)
+          arel_table[:discontinue_on].gteq(Time.current.beginning_of_minute)
         )
       )
     }

data/app/models/spree/webhook_endpoint.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'ssrf_filter'
+require 'resolv'
+
 module Spree
   class WebhookEndpoint < Spree.base_class
     has_prefix_id :whe  # Stripe: we_
@@ -8,12 +11,15 @@ module Spree
 
     include Spree::SingleStoreResource
 
+    encrypts :secret_key, deterministic: true if Rails.configuration.active_record.encryption.include?(:primary_key)
+
     belongs_to :store, class_name: 'Spree::Store'
     has_many :webhook_deliveries, class_name: 'Spree::WebhookDelivery', dependent: :destroy_async
 
     validates :store, :url, presence: true
     validates :url, format: { with: URI::DEFAULT_PARSER.make_regexp(%w[http https]), message: :invalid_url }
     validates :active, inclusion: { in: [true, false] }
+    validate :url_must_not_resolve_to_private_ip, if: -> { url.present? && url_changed? }
 
     before_create :generate_secret_key
 
@@ -51,5 +57,16 @@ module Spree
     def generate_secret_key
       self.secret_key ||= SecureRandom.hex(32)
     end
+
+    def url_must_not_resolve_to_private_ip
+      uri = URI.parse(url)
+      blacklist = SsrfFilter::IPV4_BLACKLIST + SsrfFilter::IPV6_BLACKLIST
+      addresses = Resolv.getaddresses(uri.host)
+      if addresses.any? { |addr| blacklist.any? { |range| range.include?(IPAddr.new(addr)) } }
+        errors.add(:url, :internal_address_not_allowed)
+      end
+    rescue URI::InvalidURIError, Resolv::ResolvError, IPAddr::InvalidAddressError, ArgumentError
+      # URI format validation handles invalid URLs; DNS failures are not SSRF
+    end
   end
 end

data/app/models/spree/zone.rb

@@ -52,15 +52,27 @@ module Spree
 
     # Returns the matching zone with the highest priority zone type (State, Country, Zone.)
     # Returns nil in the case of no matches.
-    def self.match(address)
-      return unless address &&
-        matches = includes(:zone_members).
-                    order('spree_zones.zone_members_count', 'spree_zones.created_at').
-                    where("(spree_zone_members.zoneable_type = 'Spree::Country' AND " \
-                          'spree_zone_members.zoneable_id = ?) OR ' \
-                          "(spree_zone_members.zoneable_type = 'Spree::State' AND " \
-                          'spree_zone_members.zoneable_id = ?)', address.country_id, address.state_id).
-                    references(:zones)
+    # Accepts either an address (with country_id/state_id) or a Spree::Country directly.
+    def self.match(address_or_country)
+      return unless address_or_country
+
+      if address_or_country.is_a?(Spree::Country)
+        country_id = address_or_country.id
+        state_id = nil
+      else
+        country_id = address_or_country.country_id
+        state_id = address_or_country.state_id
+      end
+
+      matches = includes(:zone_members).
+                  order('spree_zones.zone_members_count', 'spree_zones.created_at').
+                  where("(spree_zone_members.zoneable_type = 'Spree::Country' AND " \
+                        'spree_zone_members.zoneable_id = ?) OR ' \
+                        "(spree_zone_members.zoneable_type = 'Spree::State' AND " \
+                        'spree_zone_members.zoneable_id = ?)', country_id, state_id).
+                  references(:zones)
+
+      return if matches.empty?
 
       %w[state country].each do |zone_kind|
         if match = matches.detect { |zone| zone_kind == zone.kind }

data/app/presenters/spree/csv/coupon_code_presenter.rb

@@ -0,0 +1,31 @@
+module Spree
+  module CSV
+    class CouponCodePresenter
+      HEADERS = [
+        'Code',
+        'State',
+        'Promotion Name',
+        'Order Number',
+        'Created At',
+        'Updated At'
+      ].freeze
+
+      def initialize(coupon_code)
+        @coupon_code = coupon_code
+      end
+
+      attr_accessor :coupon_code
+
+      def call
+        [
+          coupon_code.display_code,
+          coupon_code.state,
+          coupon_code.promotion&.name,
+          coupon_code.order&.number,
+          coupon_code.created_at&.strftime('%Y-%m-%d %H:%M:%S'),
+          coupon_code.updated_at&.strftime('%Y-%m-%d %H:%M:%S')
+        ]
+      end
+    end
+  end
+end

data/app/services/spree/cart/create.rb

@@ -10,9 +10,11 @@ module Spree
       # @param public_metadata [Hash] public metadata for the order
       # @param private_metadata [Hash] private metadata for the order
       # @param order_params [Hash] additional order attributes
+      # @param line_items [Array<Hash>] line items to add, each with :variant_id (prefixed) and :quantity
       # @return [Spree::ServiceModule::Result]
-      def call(user:, store:, currency:, locale: nil, metadata: {}, public_metadata: {}, private_metadata: {}, order_params: {})
+      def call(user:, store:, currency:, locale: nil, metadata: {}, public_metadata: {}, private_metadata: {}, order_params: {}, line_items: [])
         order_params ||= {}
+        line_items ||= []
 
         # we cannot create an order without store
         return failure(:store_is_required) if store.nil?
@@ -28,8 +30,22 @@ module Spree
           private_metadata: resolved_metadata.to_h
         }
 
-        order = store.orders.create!(default_params.merge(order_params))
+        order = nil
+
+        ApplicationRecord.transaction do
+          order = store.orders.create!(default_params.merge(order_params))
+
+          if line_items.present?
+            result = Spree.cart_upsert_items_service.call(order: order, line_items: line_items)
+            raise StandardError, result.error.to_s if result.failure?
+          end
+        end
+
         success(order)
+      rescue ActiveRecord::RecordNotFound
+        raise
+      rescue StandardError => e
+        failure(order, e.message)
       end
     end
   end

data/app/services/spree/cart/upsert_items.rb

@@ -0,0 +1,80 @@
+module Spree
+  module Cart
+    # Bulk upsert line items on an order.
+    #
+    # For each entry in +line_items+:
+    # - If a line item for the variant already exists → sets its quantity
+    # - If no line item exists → creates one with the given quantity
+    #
+    # After all items are processed the order is recalculated once.
+    #
+    # Price calculation and tax adjustments are handled by LineItem model callbacks
+    # (copy_price, update_adjustments, update_tax_charge), so we only need to
+    # save each item and run a single order recalculation at the end.
+    #
+    # @example
+    #   Spree::Cart::UpsertItems.call(
+    #     order: order,
+    #     line_items: [
+    #       { variant_id: "variant_k5nR8xLq", quantity: 2 },
+    #       { variant_id: "variant_m3Rp9wXz", quantity: 1 }
+    #     ]
+    #   )
+    #
+    class UpsertItems
+      prepend Spree::ServiceModule::Base
+
+      def call(order:, line_items:)
+        line_items = Array(line_items)
+        return success(order) if line_items.empty?
+
+        store = order.store || Spree::Current.store
+
+        ApplicationRecord.transaction do
+          line_items.each do |item_params|
+            item_params = item_params.to_h.deep_symbolize_keys
+            variant = resolve_variant(store, item_params[:variant_id])
+            next unless variant
+
+            quantity = (item_params[:quantity] || 1).to_i
+
+            return failure(variant, "#{variant.name} is not available in #{order.currency}") if variant.amount_in(order.currency).nil?
+
+            line_item = Spree.line_item_by_variant_finder.new.execute(order: order, variant: variant)
+
+            if line_item
+              line_item.quantity = quantity
+              line_item.metadata = line_item.metadata.merge(item_params[:metadata].to_h) if item_params[:metadata].present?
+            else
+              line_item = order.line_items.new(quantity: quantity, variant: variant, options: { currency: order.currency })
+              line_item.metadata = item_params[:metadata].to_h if item_params[:metadata].present?
+            end
+
+            return failure(line_item) unless line_item.save
+          end
+
+          order.update_with_updater!
+        end
+
+        success(order)
+      end
+
+      private
+
+      def resolve_variant(store, prefixed_id)
+        return nil if prefixed_id.blank?
+
+        variant = store.variants.find_by_prefix_id(prefixed_id)
+
+        raise ActiveRecord::RecordNotFound.new(
+          "Variant '#{prefixed_id}' not found in this store",
+          'Spree::Variant',
+          'prefix_id',
+          prefixed_id
+        ) unless variant
+
+        variant
+      end
+    end
+  end
+end