spree_core 5.4.0.beta3 → 5.4.0.beta5

data/app/services/spree/gift_cards/apply.rb

@@ -25,15 +25,16 @@ module Spree
           return failure(:gift_card_mismatched_customer) if gift_card.user != order.user
         end
 
-        amount = [gift_card.amount_remaining, order.total].min
         store = order.store
 
-        return failure(:gift_card_no_amount_remaining) unless amount.positive? || order.total.zero?
-
         payment_method = ensure_store_credit_payment_method!(store)
 
-        gift_card.lock!
         order.with_lock do
+          gift_card.lock!
+          amount = [gift_card.amount_remaining, order.total].min
+
+          return failure(:gift_card_no_amount_remaining) unless amount.positive? || order.total.zero?
+
           store_credit = gift_card.store_credits.create!(
             store: store,
             user: order.user,

data/app/services/spree/orders/update.rb

@@ -0,0 +1,121 @@
+module Spree
+  module Orders
+    # Core order update service with modern conventions:
+    # - Flat parameter structure (no wrapping in "order" key)
+    # - snake_case field names without "_attributes" suffix
+    # - Automatic state management based on what's being updated
+    # - Support for line_items with prefixed variant IDs
+    #
+    # @example Update order with line items
+    #   Spree::Orders::Update.call(
+    #     order: order,
+    #     params: {
+    #       email: "customer@example.com",
+    #       line_items: [
+    #         { variant_id: "variant_123", quantity: 2 },
+    #         { variant_id: "variant_456", quantity: 1 }
+    #       ],
+    #       ship_address: {
+    #         firstname: "John",
+    #         lastname: "Doe",
+    #         address1: "123 Main St",
+    #         city: "New York",
+    #         zipcode: "10001",
+    #         country_iso: "US",
+    #         state_abbr: "NY"
+    #       }
+    #     }
+    #   )
+    #
+    class Update
+      prepend Spree::ServiceModule::Base
+
+      def call(order:, params:)
+        @order = order
+        @params = params.to_h.deep_symbolize_keys
+
+        ApplicationRecord.transaction do
+          assign_order_attributes
+          assign_address(:ship_address)
+          assign_address(:bill_address)
+
+          order.save!
+
+          process_line_items
+        end
+
+        success(order.reload)
+      rescue ActiveRecord::RecordNotFound
+        raise
+      rescue ActiveRecord::RecordInvalid => e
+        failure(order, e.record.errors.full_messages.to_sentence)
+      rescue StandardError => e
+        failure(order, e.message)
+      end
+
+      private
+
+      attr_reader :order, :params
+
+      def assign_order_attributes
+        order.email = params[:email] if params[:email].present?
+        order.special_instructions = params[:special_instructions] if params.key?(:special_instructions)
+        order.currency = params[:currency].upcase if params[:currency].present?
+        order.locale = params[:locale] if params[:locale].present?
+        order.metadata = order.metadata.merge(params[:metadata].to_h) if params[:metadata].present?
+      end
+
+      def assign_address(address_type)
+        address_id_param = params[:"#{address_type}_id"]
+        address_params = params[address_type]
+
+        # Priority 1: Direct address ID reference (ship_address_id / bill_address_id)
+        if address_id_param.present?
+          address_id = resolve_address_id(address_id_param)
+          order.public_send(:"#{address_type}_id=", address_id) if address_id
+          return
+        end
+
+        # Priority 2: Nested address params (ship_address / bill_address)
+        return unless address_params.is_a?(Hash)
+
+        if address_params[:id].present?
+          # Using existing address by ID within nested params
+          address_id = resolve_address_id(address_params[:id])
+          order.public_send(:"#{address_type}_id=", address_id) if address_id
+        else
+          # Creating/updating address with provided attributes
+          revert_to_address_state if order.has_checkout_step?('address')
+          order.public_send(:"#{address_type}_attributes=", address_params)
+        end
+      end
+
+      def process_line_items
+        return unless params[:line_items].is_a?(Array)
+
+        result = Spree.cart_upsert_items_service.call(
+          order: order,
+          line_items: params[:line_items]
+        )
+
+        raise StandardError, result.error.to_s if result.failure?
+      end
+
+      # Translate prefixed ID to internal id
+      def resolve_address_id(prefixed_id)
+        return unless order.user
+
+        decoded = Spree::Address.decode_prefixed_id(prefixed_id)
+        decoded ? order.user.addresses.find_by(id: decoded)&.id : nil
+      end
+
+      # Revert order state to 'address' when address changes
+      # This ensures shipments are recreated when transitioning back to delivery
+      def revert_to_address_state
+        return if ['cart', 'address'].include?(order.state)
+
+        order.state = 'address'
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -363,6 +363,10 @@ en:
               cannot_destroy_if_attached_to_line_items: Cannot delete Variants that are added to placed Orders. In such cases, please discontinue them.
               must_supply_price_for_variant_or_master: Must supply price for variant or master price for product.
               no_master_variant_found_to_infer_price: No master variant found to infer price
+        spree/webhook_endpoint:
+          attributes:
+            url:
+              internal_address_not_allowed: must not point to an internal or private network address
         spree/wished_item:
           attributes:
             variant:
@@ -1231,6 +1235,7 @@ en:
       this_file_language: English (US)
       translations: Translations
     icon: Icon
+    idempotency_key_reused: This Idempotency-Key has already been used with different request parameters.
     image: Image
     image_alt_text: Add Alt text to your image
     images: Images

data/lib/spree/core/configuration.rb

@@ -47,6 +47,7 @@ module Spree
       preference :expedited_exchanges_days_window, :integer, default: 14 # the amount of days the customer has to return their item after the expedited exchange is shipped in order to avoid being charged
       preference :geocode_addresses, :boolean, default: true
       preference :images_save_from_url_job_attempts, :integer, default: 5
+      preference :max_image_download_size, :integer, default: 20_971_520 # 20 MB in bytes
 
       # Preprocessed product image variant sizes at 2x retina resolution.
       # These variants are generated on upload to reduce runtime processing.

data/lib/spree/core/controller_helpers/strong_parameters.rb

@@ -39,7 +39,7 @@ module Spree
         end
 
         def permitted_store_attributes
-          permitted_attributes.store_attributes + Spree::Store::SUPPORTED_SOCIAL_NETWORKS.map { |social| "store_#{social}" }
+          permitted_attributes.store_attributes
         end
       end
     end

data/lib/spree/core/dependencies.rb

@@ -16,6 +16,7 @@ module Spree
         cart_remove_item_service: 'Spree::Cart::RemoveItem',
         cart_remove_line_item_service: 'Spree::Cart::RemoveLineItem',
         cart_set_item_quantity_service: 'Spree::Cart::SetQuantity',
+        cart_upsert_items_service: 'Spree::Cart::UpsertItems',
         cart_estimate_shipping_rates_service: 'Spree::Cart::EstimateShippingRates',
         cart_empty_service: 'Spree::Cart::Empty',
         cart_destroy_service: 'Spree::Cart::Destroy',
@@ -41,6 +42,7 @@ module Spree
         # order
         order_approve_service: 'Spree::Orders::Approve',
         order_cancel_service: 'Spree::Orders::Cancel',
+        order_update_service: 'Spree::Orders::Update',
         order_updater: 'Spree::OrderUpdater',
 
         # shipment

data/lib/spree/core/engine.rb

@@ -180,7 +180,8 @@ module Spree
           Spree::Exports::Orders,
           Spree::Exports::Customers,
           Spree::Exports::GiftCards,
-          Spree::Exports::NewsletterSubscribers
+          Spree::Exports::NewsletterSubscribers,
+          Spree::Exports::CouponCodes
         ]
 
         Rails.application.config.spree.import_types = [

data/lib/spree/core/version.rb

@@ -1,5 +1,5 @@
 module Spree
-  VERSION = '5.4.0.beta3'.freeze
+  VERSION = '5.4.0.beta5'.freeze
 
   def self.version
     VERSION

data/lib/spree/permitted_attributes.rb

@@ -266,15 +266,13 @@ module Spree
                           :meta_description, :default_currency, :default_country_iso, :mail_from_address,
                           :customer_support_email, :description, :address, :contact_phone,
                           :supported_locales, :default_locale, :supported_currencies,
-                          :new_order_notifications_email, :seo_robots,
+                          :new_order_notifications_email,
                           :preferred_admin_locale, :preferred_timezone, :preferred_weight_unit, :preferred_unit_system,
                           :preferred_digital_asset_authorized_clicks, :preferred_digital_asset_authorized_days,
                           :preferred_limit_digital_download_count, :preferred_limit_digital_download_days,
                           :preferred_digital_asset_link_expire_time,
-                          :logo, :mailer_logo, :social_logo, :favicon_image,
-                          :checkout_message, :preferred_guest_checkout,
-                          :customer_terms_of_service, :customer_privacy_policy,
-                          :customer_returns_policy, :customer_shipping_policy]
+                          :logo, :mailer_logo,
+                          :preferred_guest_checkout]
 
     @@store_credit_attributes = %i[amount currency category_id memo]
 

data/lib/spree/testing_support/factories/store_factory.rb

@@ -14,14 +14,5 @@ FactoryBot.define do
     instagram              { 'spreecommerce' }
     meta_description       { 'Sample store description.' }
 
-    trait :with_favicon do
-      after(:build) do |store|
-        store.favicon_image.attach(
-          io: File.open(Spree::Core::Engine.root.join('spec', 'fixtures', 'thinking-cat.jpg')),
-          filename: 'thinking-cat.jpg',
-          content_type: 'image/jpeg'
-        )
-      end
-    end
   end
 end

data/lib/spree_core.rb

@@ -1,6 +1,5 @@
 require 'friendly_id/paranoia'
 require 'friendly_id/history_decorator'
 require 'mobility/plugins/store_based_fallbacks'
-require 'normalize_string'
 
 require 'spree/core'

data/lib/tasks/core.rake

@@ -8,34 +8,6 @@ namespace :db do
     end
   end
 
-  desc 'Migrate policies to store policies'
-  task migrate_policies: :environment do |_t, _args|
-    # Helper to consistently derive policy name
-    derive_policy_name = lambda do |name_str|
-      name_str.to_s.gsub(/customer_/, '').gsub(/_policy$/, '')
-    end
-
-    # Check if migration has already been run
-    if Spree::Policy.any?
-      puts "Policies already exist. Skipping migration to prevent duplicates."
-      exit
-    end
-
-    Spree::Store.all.each do |store|
-      %w[customer_terms_of_service customer_privacy_policy customer_returns_policy customer_shipping_policy].each do |policy_slug|
-        policy = store.send(policy_slug)
-        next unless policy.present?
-
-        store.policies.create(
-          name: Spree.t(derive_policy_name.call(policy_slug)),
-          body: policy.body
-        )
-
-        puts "Migrated #{policy_slug} to store #{store.id}"
-      end
-    end
-  end
-
 end
 
 namespace :core do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_core
 version: !ruby/object:Gem::Version
-  version: 5.4.0.beta3
+  version: 5.4.0.beta5
 platform: ruby
 authors:
 - Sean Schofield
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-02 00:00:00.000000000 Z
+date: 2026-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n-tasks
@@ -490,20 +490,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: any_ascii
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.3.2
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.3.2
 - !ruby/object:Gem::Dependency
   name: safely_block
   requirement: !ruby/object:Gem::Requirement
@@ -574,6 +560,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: ssrf_filter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: Spree Models, Helpers, Services and core libraries
 email: hello@spreecommerce.org
 executables: []
@@ -879,7 +879,6 @@ files:
 - app/models/concerns/spree/store_scoped_resource.rb
 - app/models/concerns/spree/stores/markets.rb
 - app/models/concerns/spree/stores/setup.rb
-- app/models/concerns/spree/stores/socials.rb
 - app/models/concerns/spree/translatable_resource.rb
 - app/models/concerns/spree/translatable_resource_scopes.rb
 - app/models/concerns/spree/translatable_resource_slug.rb
@@ -922,6 +921,7 @@ files:
 - app/models/spree/calculator/shipping/price_sack.rb
 - app/models/spree/calculator/tiered_flat_rate.rb
 - app/models/spree/calculator/tiered_percent.rb
+- app/models/spree/category.rb
 - app/models/spree/classification.rb
 - app/models/spree/country.rb
 - app/models/spree/coupon_code.rb
@@ -935,6 +935,7 @@ files:
 - app/models/spree/event.rb
 - app/models/spree/exchange.rb
 - app/models/spree/export.rb
+- app/models/spree/exports/coupon_codes.rb
 - app/models/spree/exports/customers.rb
 - app/models/spree/exports/gift_cards.rb
 - app/models/spree/exports/newsletter_subscribers.rb
@@ -1165,6 +1166,7 @@ files:
 - app/models/spree/zone.rb
 - app/models/spree/zone_member.rb
 - app/paginators/spree/shared/paginate.rb
+- app/presenters/spree/csv/coupon_code_presenter.rb
 - app/presenters/spree/csv/customer_presenter.rb
 - app/presenters/spree/csv/gift_card_presenter.rb
 - app/presenters/spree/csv/metafields_helper.rb
@@ -1199,6 +1201,7 @@ files:
 - app/services/spree/cart/remove_out_of_stock_items.rb
 - app/services/spree/cart/set_quantity.rb
 - app/services/spree/cart/update.rb
+- app/services/spree/cart/upsert_items.rb
 - app/services/spree/checkout/add_store_credit.rb
 - app/services/spree/checkout/advance.rb
 - app/services/spree/checkout/complete.rb
@@ -1230,6 +1233,7 @@ files:
 - app/services/spree/orders/approve.rb
 - app/services/spree/orders/cancel.rb
 - app/services/spree/orders/create_user_account.rb
+- app/services/spree/orders/update.rb
 - app/services/spree/orders/update_contact_information.rb
 - app/services/spree/payments/create.rb
 - app/services/spree/products/auto_match_taxons.rb
@@ -1463,7 +1467,6 @@ files:
 - lib/generators/spree/model_decorator/model_decorator_generator.rb
 - lib/generators/spree/model_decorator/templates/model_decorator.rb.tt
 - lib/mobility/plugins/store_based_fallbacks.rb
-- lib/normalize_string.rb
 - lib/spree/analytics.rb
 - lib/spree/core.rb
 - lib/spree/core/components.rb
@@ -1653,9 +1656,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.beta3
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.4.0.beta5
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.beta3
+  source_code_uri: https://github.com/spree/spree/tree/v5.4.0.beta5
 post_install_message:
 rdoc_options: []
 require_paths:

data/app/models/concerns/spree/stores/socials.rb

@@ -1,72 +0,0 @@
-module Spree
-  module Stores
-    module Socials
-      extend ActiveSupport::Concern
-
-      SUPPORTED_SOCIAL_NETWORKS = %w[instagram facebook twitter pinterest tiktok youtube spotify discord].freeze
-
-      SOCIAL_NETWORKS_CONFIG = {
-        twitter: {
-          input_placeholder: 'https://twitter.com/your_handle',
-          profile_link: 'https://twitter.com/your_handle'
-        },
-        instagram: {
-          input_placeholder: 'https://www.instagram.com/your_handle',
-          profile_link: 'https://www.instagram.com/your_handle'
-        },
-        facebook: {
-          input_placeholder: 'https://www.facebook.com/your_page',
-          profile_link: 'https://www.facebook.com/your_page'
-        },
-        youtube: {
-          input_placeholder: 'https://www.youtube.com/@your_channel',
-          profile_link: 'https://www.youtube.com/@your_channel'
-        },
-        pinterest: {
-          input_placeholder: 'https://pinterest.com/your_handle',
-          profile_link: 'https://pinterest.com/your_handle'
-        },
-        tiktok: {
-          input_placeholder: 'your_handle',
-          profile_link: 'https://www.tiktok.com/@your_handle'
-        },
-        spotify: {
-          input_placeholder: 'https://open.spotify.com/user/your_handle',
-          profile_link: 'https://open.spotify.com/user/your_handle'
-        },
-        discord: {
-          input_placeholder: 'https://discord.com/invite/your_handle',
-          profile_link: 'https://discord.com/invite/your_handle'
-        }
-      }.freeze
-
-      included do
-        # generate methods for social links
-        SUPPORTED_SOCIAL_NETWORKS.each do |social|
-          # store the social handle in the public metadata
-          store_accessor :public_metadata, social
-
-          define_method "#{social}_link" do
-            return if send(social).blank?
-
-            send(social).match(/http/) ? send(social) : SOCIAL_NETWORKS_CONFIG[social.to_sym][:profile_link].gsub(/your_handle|your_page|your_channel/, send(social).sub(/^\//, '').sub(/^@/, ''))
-          end
-
-          define_method "#{social}_handle" do
-            return if send(social).blank?
-
-            (send(social).match(/http/) ? send(social).split('/').last : send(social)).sub(/^\//, '').gsub('@', '').split('?').first
-          end
-        end
-      end
-
-      def social_handle
-        @social_handle ||= instagram_handle || youtube_handle || tiktok_handle
-      end
-
-      def social_links
-        @social_links ||= [instagram_link, facebook_link, twitter_link, pinterest_link, youtube_link, tiktok_link, spotify_link, discord_link].compact_blank
-      end
-    end
-  end
-end

data/lib/normalize_string.rb

@@ -1,18 +0,0 @@
-require 'any_ascii'
-
-module NormalizeString
-  def self.normalize(string)
-    return unless string.present?
-
-    AnyAscii.transliterate(string)
-  end
-
-  def self.remove_emoji_and_normalize(string, keep_emoji_when_empty: false)
-    return unless string.present?
-
-    result = AnyAscii.transliterate(string.gsub(/\p{So}/, ''))
-    return result if result.present? || !keep_emoji_when_empty
-
-    normalize(string)
-  end
-end