RubyGems - spree_core - Versions diffs - 5.4.2 → 5.5.0.rc1 - Mend

spree_core 5.4.2 → 5.5.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (248) hide show

checksums.yaml +4 -4
data/app/helpers/spree/base_helper.rb +0 -82
data/app/helpers/spree/currency_helper.rb +0 -12
data/app/helpers/spree/products_helper.rb +0 -8
data/app/jobs/spree/base_job.rb +18 -0
data/app/jobs/spree/events/subscriber_job.rb +3 -2
data/app/jobs/spree/exports/generate_job.rb +11 -0
data/app/jobs/spree/images/save_from_url_job.rb +23 -8
data/app/jobs/spree/imports/assign_tags_job.rb +11 -0
data/app/jobs/spree/imports/base_job.rb +15 -0
data/app/jobs/spree/imports/create_categories_job.rb +37 -0
data/app/jobs/spree/imports/create_rows_job.rb +1 -3
data/app/jobs/spree/imports/process_group_job.rb +8 -6
data/app/jobs/spree/imports/process_rows_job.rb +1 -3
data/app/jobs/spree/media/migrate_product_assets_job.rb +83 -0
data/app/jobs/spree/products/refresh_metrics_job.rb +15 -4
data/app/jobs/spree/reports/generate_job.rb +11 -0
data/app/jobs/spree/search_provider/index_job.rb +5 -1
data/app/jobs/spree/search_provider/remove_job.rb +4 -0
data/app/jobs/spree/stock_reservations/expire_job.rb +11 -0
data/app/models/concerns/spree/calculated_adjustments.rb +34 -1
data/app/models/concerns/spree/display_on.rb +31 -0
data/app/models/concerns/spree/metafields.rb +167 -5
data/app/models/concerns/spree/preference_schema.rb +191 -0
data/app/models/concerns/spree/prefixed_id.rb +94 -11
data/app/models/concerns/spree/product_scopes.rb +36 -17
data/app/models/concerns/spree/publishable.rb +1 -1
data/app/models/concerns/spree/ransackable_attributes.rb +5 -1
data/app/models/concerns/spree/search_indexable.rb +8 -7
data/app/models/concerns/spree/searchable.rb +11 -2
data/app/models/concerns/spree/stores/channels.rb +20 -0
data/app/models/concerns/spree/stores/markets.rb +21 -5
data/app/models/concerns/spree/typed_associations.rb +120 -0
data/app/models/concerns/spree/user_methods.rb +71 -12
data/app/models/spree/ability.rb +4 -117
data/app/models/spree/api_key.rb +53 -0
data/app/models/spree/asset.rb +37 -14
data/app/models/spree/authentication/strategy_registry.rb +72 -0
data/app/models/spree/base.rb +18 -1
data/app/models/spree/channel.rb +159 -0
data/app/models/spree/country.rb +2 -0
data/app/models/spree/current.rb +5 -1
data/app/models/spree/custom_field.rb +9 -0
data/app/models/spree/custom_field_definition.rb +7 -0
data/app/models/spree/customer_group.rb +8 -2
data/app/models/spree/event.rb +6 -6
data/app/models/spree/export.rb +32 -5
data/app/models/spree/exports/product_translations.rb +1 -1
data/app/models/spree/gateway/bogus.rb +6 -1
data/app/models/spree/gateway.rb +25 -0
data/app/models/spree/gift_card.rb +1 -1
data/app/models/spree/gift_card_batch.rb +4 -1
data/app/models/spree/import.rb +5 -0
data/app/models/spree/import_row.rb +12 -0
data/app/models/spree/line_item.rb +7 -2
data/app/models/spree/market.rb +57 -1
data/app/models/spree/metafield.rb +38 -0
data/app/models/spree/metafield_definition.rb +29 -6
data/app/models/spree/metafields/json.rb +10 -0
data/app/models/spree/newsletter_subscriber.rb +19 -3
data/app/models/spree/option_type.rb +48 -7
data/app/models/spree/order/checkout.rb +3 -3
data/app/models/spree/order.rb +102 -6
data/app/models/spree/order_approval.rb +19 -0
data/app/models/spree/order_cancellation.rb +19 -0
data/app/models/spree/order_inventory.rb +24 -2
data/app/models/spree/order_routing/has_strategy_preference.rb +28 -0
data/app/models/spree/order_routing/rules/default_location.rb +16 -0
data/app/models/spree/order_routing/rules/minimize_splits.rb +45 -0
data/app/models/spree/order_routing/rules/preferred_location.rb +22 -0
data/app/models/spree/order_routing/strategy/base.rb +47 -0
data/app/models/spree/order_routing/strategy/legacy.rb +33 -0
data/app/models/spree/order_routing/strategy/reducer.rb +68 -0
data/app/models/spree/order_routing/strategy/rules.rb +81 -0
data/app/models/spree/order_routing_rule.rb +75 -0
data/app/models/spree/payment_setup_sessions/bogus.rb +4 -0
data/app/models/spree/permission_sets/configuration_management.rb +16 -0
data/app/models/spree/permission_sets/product_display.rb +2 -0
data/app/models/spree/permission_sets/product_management.rb +2 -0
data/app/models/spree/price.rb +14 -1
data/app/models/spree/price_list.rb +129 -17
data/app/models/spree/price_rule.rb +11 -1
data/app/models/spree/price_rules/customer_group_rule.rb +15 -1
data/app/models/spree/price_rules/market_rule.rb +16 -1
data/app/models/spree/price_rules/user_rule.rb +21 -2
data/app/models/spree/product/channels.rb +149 -0
data/app/models/spree/product/legacy_multi_store_support.rb +40 -0
data/app/models/spree/product/slugs.rb +1 -1
data/app/models/spree/product.rb +172 -31
data/app/models/spree/product_publication.rb +43 -0
data/app/models/spree/promotion/actions/create_adjustment.rb +4 -0
data/app/models/spree/promotion/actions/create_item_adjustments.rb +4 -0
data/app/models/spree/promotion/actions/create_line_items.rb +32 -14
data/app/models/spree/promotion/rules/country.rb +40 -18
data/app/models/spree/promotion/rules/customer_group.rb +10 -1
data/app/models/spree/promotion/rules/product.rb +4 -0
data/app/models/spree/promotion/rules/taxon.rb +24 -1
data/app/models/spree/promotion/rules/user.rb +21 -0
data/app/models/spree/promotion/rules/user_logged_in.rb +6 -0
data/app/models/spree/promotion.rb +22 -1
data/app/models/spree/promotion_action.rb +17 -11
data/app/models/spree/promotion_rule.rb +17 -18
data/app/models/spree/search_provider/meilisearch.rb +12 -2
data/app/models/spree/shipment.rb +10 -4
data/app/models/spree/stock/availability_validator.rb +1 -1
data/app/models/spree/stock/quantifier.rb +89 -9
data/app/models/spree/stock_item.rb +36 -0
data/app/models/spree/stock_location.rb +52 -0
data/app/models/spree/stock_reservation.rb +38 -0
data/app/models/spree/stock_reservations/insufficient_stock_error.rb +12 -0
data/app/models/spree/store.rb +18 -72
data/app/models/spree/store_credit.rb +0 -8
data/app/models/spree/store_product.rb +11 -23
data/app/models/spree/subscriber.rb +12 -12
data/app/models/spree/taxon.rb +0 -5
data/app/models/spree/user_identity.rb +1 -2
data/app/models/spree/variant.rb +132 -18
data/app/models/spree/variant_media.rb +46 -0
data/app/models/spree/webhook_delivery.rb +1 -1
data/app/models/spree/webhook_endpoint.rb +24 -0
data/app/models/spree/wished_item.rb +0 -13
data/app/presenters/spree/csv/formula_sanitizer.rb +28 -0
data/app/presenters/spree/csv/product_variant_presenter.rb +23 -3
data/app/presenters/spree/search_provider/product_presenter.rb +11 -4
data/app/presenters/spree/variant_presenter.rb +4 -3
data/app/services/spree/addresses/update.rb +6 -8
data/app/services/spree/cart/add_item.rb +10 -0
data/app/services/spree/cart/empty.rb +2 -0
data/app/services/spree/cart/remove_line_item.rb +10 -0
data/app/services/spree/cart/remove_out_of_stock_items.rb +1 -1
data/app/services/spree/cart/set_quantity.rb +10 -0
data/app/services/spree/carts/complete.rb +1 -0
data/app/services/spree/carts/create.rb +1 -0
data/app/services/spree/carts/update.rb +18 -2
data/app/services/spree/carts/upsert_items.rb +6 -6
data/app/services/spree/credit_cards/destroy.rb +1 -1
data/app/services/spree/imports/row_processors/customer.rb +4 -1
data/app/services/spree/imports/row_processors/product_variant.rb +95 -57
data/app/services/spree/newsletter/link_user.rb +53 -0
data/app/services/spree/newsletter/subscribe.rb +31 -9
data/app/services/spree/orders/approve.rb +27 -6
data/app/services/spree/orders/build_shipments.rb +29 -0
data/app/services/spree/orders/cancel.rb +34 -3
data/app/services/spree/orders/complete.rb +53 -0
data/app/services/spree/orders/create.rb +156 -0
data/app/services/spree/orders/update.rb +51 -0
data/app/services/spree/orders/upsert_items.rb +70 -0
data/app/services/spree/payments/handle_webhook.rb +3 -10
data/app/services/spree/prices/bulk_upsert.rb +201 -0
data/app/services/spree/products/duplicator.rb +1 -1
data/app/services/spree/products/prepare_nested_attributes.rb +2 -30
data/app/services/spree/sample_data/loader.rb +30 -0
data/app/services/spree/stock_reservations/extend.rb +19 -0
data/app/services/spree/stock_reservations/release.rb +12 -0
data/app/services/spree/stock_reservations/reserve.rb +103 -0
data/app/services/spree/taxons/remove_products.rb +7 -1
data/app/subscribers/spree/event_log_subscriber.rb +1 -1
data/app/subscribers/spree/product_metrics_subscriber.rb +3 -7
data/app/views/spree/invitation_mailer/invitation_email.html.erb +4 -0
data/config/locales/en.yml +35 -10
data/config/routes.rb +9 -0
data/db/migrate/20260429000001_create_spree_order_cancellations.rb +25 -0
data/db/migrate/20260429000002_create_spree_order_approvals.rb +22 -0
data/db/migrate/20260429000003_add_status_to_spree_orders.rb +6 -0
data/db/migrate/20260429000004_add_scopes_to_spree_api_keys.rb +11 -0
data/db/migrate/20260501000001_create_spree_stock_reservations.rb +19 -0
data/db/migrate/20260504103113_add_type_to_spree_payment_setup_sessions.rb +6 -0
data/db/migrate/20260507162651_create_spree_variant_media.rb +23 -0
data/db/migrate/20260508175303_add_pickup_to_spree_stock_locations.rb +12 -0
data/db/migrate/20260508204040_create_spree_channels.rb +18 -0
data/db/migrate/20260508204041_create_spree_order_routing_rules.rb +18 -0
data/db/migrate/20260508204042_add_preferred_stock_location_to_spree_orders.rb +5 -0
data/db/migrate/20260508204043_add_channel_id_to_spree_orders.rb +10 -0
data/db/migrate/20260511000001_backfill_status_on_spree_orders.rb +57 -0
data/db/migrate/20260515000001_add_store_id_to_spree_newsletter_subscribers.rb +25 -0
data/db/migrate/20260529000001_add_unique_index_to_spree_price_rules.rb +41 -0
data/db/migrate/20260529000002_add_unique_index_to_spree_promotion_rules.rb +37 -0
data/db/migrate/20260601000001_create_spree_product_publications.rb +14 -0
data/db/migrate/20260601000002_add_store_id_to_spree_products.rb +16 -0
data/db/migrate/20260602000001_add_default_to_spree_channels.rb +14 -0
data/db/sample_data/channels.rb +12 -0
data/db/sample_data/orders.rb +1 -1
data/db/sample_data/products.csv +212 -212
data/lib/generators/spree/api_resource/api_resource_generator.rb +353 -0
data/lib/generators/spree/api_resource/templates/admin_controller.rb.tt +23 -0
data/lib/generators/spree/api_resource/templates/admin_controller_spec.rb.tt +59 -0
data/lib/generators/spree/api_resource/templates/admin_serializer.rb.tt +11 -0
data/lib/generators/spree/api_resource/templates/factory.rb.tt +26 -0
data/lib/generators/spree/api_resource/templates/store_aliased_serializer.rb.tt +12 -0
data/lib/generators/spree/api_resource/templates/store_controller.rb.tt +31 -0
data/lib/generators/spree/api_resource/templates/store_controller_spec.rb.tt +61 -0
data/lib/generators/spree/api_resource/templates/store_serializer.rb.tt +14 -0
data/lib/generators/spree/controller_decorator/controller_decorator_generator.rb +66 -0
data/lib/generators/spree/controller_decorator/templates/controller_decorator.rb.tt +25 -0
data/lib/generators/spree/model/model_generator.rb +73 -7
data/lib/generators/spree/model/templates/create_table_migration.rb.tt +40 -0
data/lib/generators/spree/model/templates/model.rb.tt +28 -2
data/lib/spree/core/configuration.rb +7 -0
data/lib/spree/core/controller_helpers/auth.rb +0 -12
data/lib/spree/core/controller_helpers/currency.rb +0 -17
data/lib/spree/core/controller_helpers/order.rb +0 -19
data/lib/spree/core/dependencies.rb +5 -2
data/lib/spree/core/engine.rb +54 -7
data/lib/spree/core/permission_configuration.rb +15 -0
data/lib/spree/core/preferences/masking.rb +47 -0
data/lib/spree/core/preferences/preferable_class_methods.rb +7 -1
data/lib/spree/core/version.rb +1 -1
data/lib/spree/core.rb +56 -5
data/lib/spree/events/adapters/active_support_notifications.rb +1 -1
data/lib/spree/events/adapters/base.rb +3 -3
data/lib/spree/events/registry.rb +1 -1
data/lib/spree/events.rb +1 -1
data/lib/spree/permitted_attributes.rb +9 -7
data/lib/spree/testing_support/factories/address_factory.rb +16 -9
data/lib/spree/testing_support/factories/api_key_factory.rb +1 -0
data/lib/spree/testing_support/factories/channel_factory.rb +8 -0
data/lib/spree/testing_support/factories/line_item_factory.rb +2 -8
data/lib/spree/testing_support/factories/newsletter_subscriber_factory.rb +2 -0
data/lib/spree/testing_support/factories/product_factory.rb +16 -7
data/lib/spree/testing_support/factories/product_publication_factory.rb +6 -0
data/lib/spree/testing_support/factories/refresh_token_factory.rb +15 -0
data/lib/spree/testing_support/factories/stock_location_factory.rb +2 -2
data/lib/spree/testing_support/factories/stock_reservation_factory.rb +31 -0
data/lib/spree/testing_support/factories/variant_factory.rb +3 -3
data/lib/spree/testing_support/order_walkthrough.rb +1 -1
data/lib/spree/testing_support/store.rb +10 -0
data/lib/spree/upgrades/5_4_to_5_5/manifest.yml +53 -0
data/lib/tasks/channels.rake +94 -0
data/lib/tasks/core.rake +1 -0
data/lib/tasks/media.rake +27 -0
data/lib/tasks/products.rake +4 -6
data/lib/tasks/publications.rake +60 -0
data/lib/tasks/upgrade.rake +211 -0
metadata +86 -18
data/app/finders/spree/variants/visible_finder.rb +0 -23
data/app/paginators/spree/shared/paginate.rb +0 -30
data/app/presenters/spree/filters/price_presenter.rb +0 -23
data/app/presenters/spree/filters/price_range_presenter.rb +0 -30
data/app/presenters/spree/filters/quantified_price_range_presenter.rb +0 -45
data/app/presenters/spree/product_summary_presenter.rb +0 -27
data/app/presenters/spree/variants/options_presenter.rb +0 -82
data/app/services/spree/classifications/reposition.rb +0 -23
data/app/sorters/spree/orders/sort.rb +0 -10
data/lib/spree/core/controller_helpers/common.rb +0 -14
data/lib/spree/core/token_generator.rb +0 -23
data/lib/spree/database_type_utilities.rb +0 -22
data/lib/spree/testing_support/bar_ability.rb +0 -14
data/lib/spree/testing_support/factories/store_product_factory.rb +0 -6

data/app/models/spree/store_credit.rb CHANGED Viewed

@@ -189,14 +189,6 @@ module Spree
       "#{id}-SC-#{Time.now.utc.strftime('%Y%m%d%H%M%S%6N')}"
     end
-    class << self
-      def default_created_by
-        Spree::Deprecation.warn('StoreCredit#default_created_by is deprecated and will be removed in Spree 5.5. Please use store.users.first instead.')
-        Spree::Store.current.users.first
-      end
-    end
     private
     def create_credit_record(amount, action_attributes = {})

data/app/models/spree/store_product.rb CHANGED Viewed

@@ -1,29 +1,17 @@
 module Spree
+  # Thin AR wrapper over the legacy +spree_products_stores+ join table.
+  # Pre-5.5 core used this table to attach products to stores; 5.5+ moved
+  # that responsibility onto +Spree::Product#store_id+ + +ProductPublication+.
+  #
+  # The model exists only to power the 5.4 → 5.5 backfill rake task
+  # (+spree:upgrade:populate_publications+). Host apps upgrading from 5.4
+  # still have the table; after the backfill runs, +spree_multi_store+ (for
+  # multi-store catalogs) keeps the table around, and single-store
+  # installations may drop it.
   class StoreProduct < Spree.base_class
-    has_prefix_id :sp
     self.table_name = 'spree_products_stores'
-    belongs_to :store, class_name: 'Spree::Store', touch: true
-    belongs_to :product, class_name: 'Spree::Product', touch: true
-    validates :store, :product, presence: true
-    validates :store_id, uniqueness: { scope: :product_id }
-    def refresh_metrics!
-      return if product.nil?
-      completed_order_ids = product.completed_orders.where(store_id: store_id).select(:id)
-      variant_ids = product.variants_including_master.ids
-      line_items = Spree::LineItem.joins(:order)
-        .where(spree_orders: { id: completed_order_ids })
-        .where(variant_id: variant_ids)
-      update!(
-        units_sold_count: line_items.sum(:quantity),
-        revenue: line_items.sum(:pre_tax_amount)
-      )
-    end
+    belongs_to :product, class_name: 'Spree::Product'
+    belongs_to :store, class_name: 'Spree::Store'
   end
 end

data/app/models/spree/subscriber.rb CHANGED Viewed

@@ -9,7 +9,7 @@ module Spree
   #
   # @example Basic subscriber
   #   class OrderCompletedNotifier < Spree::Subscriber
-  #     subscribes_to 'order.complete'
+  #     subscribes_to 'order.completed'
   #
   #     def call(event)
   #       order_id = event.payload['id']
@@ -19,7 +19,7 @@ module Spree
   #
   # @example Multi-event subscriber
   #   class OrderAuditLogger < Spree::Subscriber
-  #     subscribes_to 'order.complete', 'order.cancel', 'order.resume'
+  #     subscribes_to 'order.completed', 'order.canceled', 'order.resumed'
   #
   #     def call(event)
   #       AuditLog.create!(
@@ -41,11 +41,11 @@ module Spree
   #
   # @example Subscriber with method routing
   #   class PaymentSubscriber < Spree::Subscriber
-  #     subscribes_to 'payment.complete', 'payment.void', 'payment.refund'
+  #     subscribes_to 'payment.completed', 'payment.voided', 'refund.created'
   #
-  #     on 'payment.complete', :handle_complete
-  #     on 'payment.void', :handle_void
-  #     on 'payment.refund', :handle_refund
+  #     on 'payment.completed', :handle_complete
+  #     on 'payment.voided', :handle_void
+  #     on 'refund.created', :handle_refund
   #
   #     private
   #
@@ -64,7 +64,7 @@ module Spree
   #
   # @example Synchronous subscriber (runs immediately, not via ActiveJob)
   #   class CriticalOrderHandler < Spree::Subscriber
-  #     subscribes_to 'order.complete', async: false
+  #     subscribes_to 'order.completed', async: false
   #
   #     def call(event)
   #       # This runs synchronously
@@ -81,10 +81,10 @@ module Spree
       # @return [void]
       #
       # @example
-      #   subscribes_to 'order.complete'
-      #   subscribes_to 'order.complete', 'order.cancel'
+      #   subscribes_to 'order.completed'
+      #   subscribes_to 'order.completed', 'order.canceled'
       #   subscribes_to 'order.*'
-      #   subscribes_to 'order.complete', async: false
+      #   subscribes_to 'order.completed', async: false
       #
       def subscribes_to(*patterns, **options)
         @subscription_patterns ||= []
@@ -102,8 +102,8 @@ module Spree
       # @return [void]
       #
       # @example
-      #   on 'payment.complete', :handle_complete
-      #   on 'payment.void', :handle_void
+      #   on 'payment.completed', :handle_complete
+      #   on 'payment.voided', :handle_void
       #
       def on(pattern, method_name)
         @event_handlers ||= {}

data/app/models/spree/taxon.rb CHANGED Viewed

@@ -340,11 +340,6 @@ module Spree
       end
     end
-    def active_products
-      Spree::Deprecation.warn('active_products is deprecated and will be removed in Spree 5.5. Please use taxon.products.active instead.')
-      products.active
-    end
     def regenerate_pretty_name_and_permalink
       Mobility.with_locale(nil) do
         update_columns(pretty_name: generate_pretty_name, permalink: generate_slug, updated_at: Time.current)

data/app/models/spree/user_identity.rb CHANGED Viewed

@@ -9,8 +9,7 @@ module Spree
     validates :provider, inclusion: {
       in: ->(_record) {
-        config = Rails.application.config.spree
-        (config.store_authentication_strategies.keys + config.admin_authentication_strategies.keys).uniq.map(&:to_s)
+        (Spree.store_authentication_strategies.keys + Spree.admin_authentication_strategies.keys).uniq.map(&:to_s)
       }
     }

data/app/models/spree/variant.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module Spree
     include Spree::MemoizedData
     include Spree::Metafields
     include Spree::Metadata
+    include Spree::Searchable
     include Spree::Variant::Webhooks
     publishes_lifecycle_events
@@ -36,31 +37,43 @@ module Spree
     with_options inverse_of: :variant do
       has_many :inventory_units
       has_many :line_items
-      has_many :stock_items, dependent: :destroy
+      has_many :stock_items, dependent: :destroy, autosave: true
     end
     has_many :orders, through: :line_items
     with_options through: :stock_items do
       has_many :stock_locations
       has_many :stock_movements
+      has_many :stock_reservations
     end
     has_many :option_value_variants, class_name: 'Spree::OptionValueVariant'
     has_many :option_values, through: :option_value_variants, dependent: :destroy, class_name: 'Spree::OptionValue'
     has_many :images, -> { order(:position) }, as: :viewable, dependent: :destroy, class_name: 'Spree::Asset'
+    has_many :variant_media, class_name: 'Spree::VariantMedia', dependent: :destroy
+    # Order through the asset's product-level position so a variant's gallery
+    # follows whatever ordering the merchant set on the product. There's no
+    # per-variant reordering — link/unlink only.
+    has_many :associated_media,
+             -> { order(Spree::Asset.arel_table[:position].asc) },
+             through: :variant_media, source: :asset, class_name: 'Spree::Asset'
     belongs_to :primary_media, class_name: 'Spree::Asset', optional: true, foreign_key: :primary_media_id
     has_many :prices,
              class_name: 'Spree::Price',
              dependent: :destroy,
-             inverse_of: :variant
+             inverse_of: :variant,
+             autosave: true
     has_many :wished_items, dependent: :destroy
     has_many :digitals
     before_validation :set_cost_currency
+    before_validation :apply_pending_options, if: :pending_options?
     validate :check_price, if: -> { Spree::Config.enable_legacy_default_price }
@@ -128,11 +141,29 @@ module Spree
     scope :with_digital_assets, -> { joins(:digitals) }
-    scope :search, ->(query) {
-      next none if query.blank? || query.length < 3
+    # Free-text variant search: SKU, parent product name, and any
+    # option-value presentation (e.g. "Red", "XL"). The 3-char floor
+    # keeps single-letter queries from triggering a full scan.
+    def self.search(query)
+      return none if query.blank? || query.length < 3
-      product_name_or_sku_cont(query)
-    }
+      conditions = [
+        search_condition(self, :sku, query),
+        search_condition(Spree::OptionValue, :presentation, query),
+      ]
+      if Spree.use_translations?
+        translation_table = Product::Translation.arel_table.alias(Product.translation_table_alias)
+        sanitized = sanitize_query_for_search(query)
+        conditions << translation_table[:name].lower.matches("%#{sanitized}%", '\\')
+      else
+        conditions << search_condition(Spree::Product, :name, query)
+      end
+      relation = joins(:product).left_joins(:option_values)
+      relation = relation.join_translation_table(Product) if Spree.use_translations?
+      relation.where(conditions.reduce(:or)).distinct
+    end
     # Backward compatibility alias — remove in Spree 6.0
     scope :multi_search, ->(*args) { search(*args) }
@@ -166,8 +197,8 @@ module Spree
     self.whitelisted_ransackable_associations = %w[option_values product tax_category prices default_price]
     self.whitelisted_ransackable_attributes = %w[weight depth width height sku discontinue_on is_master cost_price cost_currency track_inventory
-                                                 deleted_at]
-    self.whitelisted_ransackable_scopes = %i(product_name_or_sku_cont search_by_product_name_or_sku)
+                                                 deleted_at product_id]
+    self.whitelisted_ransackable_scopes = %i(product_name_or_sku_cont search_by_product_name_or_sku search)
     def self.product_name_or_sku_cont(query)
       sanitized_query = ActiveRecord::Base.sanitize_sql_like(query.to_s.downcase.strip)
@@ -260,16 +291,21 @@ module Spree
     end
     # Returns the variant's media gallery.
-    # Currently returns direct images. In 6.0 will use variant_media join table.
+    # Prefers product-level media linked via variant_media (5.5+) — these reuse
+    # a single blob across variants. Falls back to direct variant images for
+    # legacy uploads.
     # @return [ActiveRecord::Relation]
     def gallery_media
+      return associated_media if has_associated_media?
       images
     end
-    # Returns true if the variant has media.
-    # Uses loaded association when available, otherwise falls back to counter cache.
+    # Returns true if the variant has media (linked product-level or direct images).
+    # Uses loaded associations when available, otherwise falls back to counter cache.
     # @return [Boolean]
     def has_media?
+      return true if has_associated_media?
       return images.any? if images.loaded?
       media_count.positive?
@@ -277,6 +313,13 @@ module Spree
     alias has_images? has_media?
+    # @return [Boolean] true if any product-level media is linked to this variant
+    def has_associated_media?
+      return variant_media.any? if variant_media.loaded?
+      variant_media.exists?
+    end
     # @deprecated Use #primary_media instead.
     def default_image
       Spree::Deprecation.warn('Spree::Variant#default_image is deprecated and will be removed in Spree 6.0. Please use Spree::Variant#primary_media instead.')
@@ -285,8 +328,10 @@ module Spree
     # Updates primary_media_id to the first media item by position.
     # Called when media is added, removed, or reordered.
+    # Uses gallery_media so product-level assets linked via VariantMedia are
+    # considered alongside legacy variant-pinned images.
     def update_thumbnail!
-      first_media = images.order(:position).first
+      first_media = gallery_media.first
       update_column(:primary_media_id, first_media&.id)
     end
@@ -330,6 +375,11 @@ module Spree
     # @param options [Array<Hash>] the options to set
     # @return [void]
     def options=(options = {})
+      if product.nil?
+        @pending_options = options
+        return
+      end
       options.each do |option|
         next if option[:name].blank? || option[:value].blank?
@@ -438,6 +488,51 @@ module Spree
       price_in(currency).try(:compare_at_amount)
     end
+    # Syncs base prices from an array of hashes.
+    # Upserts prices for listed currencies, removes base prices for unlisted currencies.
+    # On new records, builds prices in memory (saved when variant is saved).
+    # On persisted records, saves prices immediately and removes unlisted currencies.
+    # An empty array clears every base price — distinguished from `nil` (no
+    # change requested), which falls through to the default ActiveRecord setter.
+    # @param prices_params [Array<Hash>, nil] array of { currency:, amount:, compare_at_amount: }
+    # @return [void]
+    def prices=(prices_params)
+      return super if prices_params.nil? || prices_params.first.is_a?(Spree::Price)
+      currencies_in_payload = []
+      prices_params.each do |price_data|
+        price_data = price_data.to_h.with_indifferent_access
+        currencies_in_payload << price_data[:currency]
+        set_price(price_data[:currency], price_data[:amount], price_data[:compare_at_amount])
+      end
+      # Remove base prices for currencies not in the payload (including the
+      # `prices_params == []` case, which clears every base price).
+      prices.base_prices.where.not(currency: currencies_in_payload).destroy_all if persisted?
+    end
+    # Syncs stock items from an array of hashes.
+    # Upserts stock for listed locations, soft-deletes stock items for unlisted locations.
+    # On new records, defers to after_create callback.
+    # @param stock_items_params [Array<Hash>] array of { stock_location_id:, count_on_hand:, backorderable: }
+    # @return [void]
+    def stock_items=(stock_items_params)
+      return super if stock_items_params.blank? || stock_items_params.first.is_a?(Spree::StockItem)
+      location_ids_in_payload = []
+      stock_items_params.each do |stock_data|
+        stock_data = stock_data.to_h.with_indifferent_access
+        location = Spree::StockLocation.find_by_param(stock_data[:stock_location_id])
+        location_ids_in_payload << location.id
+        set_stock(stock_data[:count_on_hand], stock_data[:backorderable], location)
+      end
+      # Soft-delete stock items for locations not in the payload
+      stock_items.where.not(stock_location_id: location_ids_in_payload).destroy_all if persisted?
+    end
     # Sets the base price (global price, not for a price list) for the given currency.
     # @param currency [String] the currency to set the price for
     # @param amount [BigDecimal] the amount to set
@@ -465,16 +560,18 @@ module Spree
       Spree::Pricing::Resolver.new(context).resolve
     end
-    # Sets the stock for the variant
+    # Sets the stock for the variant at a given location.
+    # Mirrors set_price: find-or-initialize, set attrs, save only if persisted.
     # @param count_on_hand [Integer] the count on hand
     # @param backorderable [Boolean] the backorderable flag
-    # @param stock_location [Spree::StockLocation] the stock location to set the stock for
+    # @param stock_location [Spree::StockLocation] the stock location (defaults to store default)
     # @return [void]
-    def set_stock(count_on_hand, backorderable = nil)
-      stock_item = stock_items.find_or_initialize_by(stock_location: default_stock_location)
+    def set_stock(count_on_hand, backorderable = nil, stock_location = nil)
+      stock_location ||= default_stock_location
+      stock_item = stock_items.find_or_initialize_by(stock_location: stock_location)
       stock_item.count_on_hand = count_on_hand
       stock_item.backorderable = backorderable if backorderable.present?
-      stock_item.save!
+      stock_item.save! if persisted?
     end
     def default_stock_location
@@ -532,7 +629,7 @@ module Spree
       @on_sale ||= price_in(currency)&.discounted?
     end
-    delegate :total_on_hand, :can_supply?, to: :quantifier
+    delegate :total_on_hand, :available_stock, :reserved_quantity, :can_supply?, to: :quantifier
     alias is_backorderable? backorderable?
@@ -585,6 +682,23 @@ module Spree
     private
+    def pending_options?
+      @pending_options.present?
+    end
+    def apply_pending_options
+      return unless @pending_options
+      options_to_apply = @pending_options
+      @pending_options = nil
+      options_to_apply.each do |option|
+        next if option[:name].blank? || option[:value].blank?
+        set_option_value(option[:name], option[:value], option[:position])
+      end
+    end
     def ensure_not_in_complete_orders
       if orders.complete.any?
         errors.add(:base, :cannot_destroy_if_attached_to_line_items)

data/app/models/spree/variant_media.rb ADDED Viewed

@@ -0,0 +1,46 @@
+module Spree
+  # FK column is `media_id` (not `asset_id`) to match the 6.0 rename
+  # Spree::Asset → Spree::Media. The `:asset` association name follows the
+  # current parent class; in 6.0 it renames to `:media` without a column change.
+  class VariantMedia < Spree.base_class
+    self.table_name = 'spree_variant_media'
+    belongs_to :variant, class_name: 'Spree::Variant', touch: true
+    belongs_to :asset, class_name: 'Spree::Asset', foreign_key: :media_id, inverse_of: :variant_media
+    validates :variant, :asset, presence: true
+    validates :media_id, uniqueness: { scope: :variant_id }
+    validate :asset_belongs_to_variant_product
+    after_commit :refresh_variant_thumbnail, on: %i[create destroy]
+    # Resolves an array of variant identifiers (prefixed ids or raw ids) to the
+    # numeric ids of variants that belong to `product`. Anything else — bad
+    # prefix, foreign product, garbage — is dropped. This is the security
+    # boundary used by Spree::Asset#variant_ids=, so callers (forms, API params)
+    # can't link assets to variants from another product.
+    def self.resolve_variant_ids(product, variant_ids)
+      ids = Array(variant_ids).reject(&:blank?)
+      return [] if ids.empty?
+      product.variants.filter_map do |variant|
+        token = variant.id.to_s
+        prefixed = variant.prefixed_id
+        variant.id if ids.any? { |id| id.to_s == token || id == prefixed }
+      end
+    end
+    private
+    def asset_belongs_to_variant_product
+      return if asset.blank? || variant.blank?
+      return if asset.product&.id == variant.product_id
+      errors.add(:asset, 'must belong to the same product as the variant')
+    end
+    def refresh_variant_thumbnail
+      variant&.update_thumbnail!
+    end
+  end
+end

data/app/models/spree/webhook_delivery.rb CHANGED Viewed

@@ -19,7 +19,7 @@ module Spree
     scope :for_event, ->(event_name) { where(event_name: event_name) }
     # Ransack configuration
-    self.whitelisted_ransackable_attributes = %w[event_name response_code execution_time success delivered_at]
+    self.whitelisted_ransackable_attributes = %w[event_name response_code execution_time success delivered_at created_at]
     # Check if the delivery was successful
     #

data/app/models/spree/webhook_endpoint.rb CHANGED Viewed

@@ -22,6 +22,12 @@ module Spree
     validate :url_must_not_resolve_to_private_ip, if: -> { !Rails.env.development? && url.present? && url_changed? }
     before_create :generate_secret_key
+    after_create  { @reveal_secret_in_response = true }
+    # Re-enabling via a direct `update(active: true)` (e.g., the dashboard's
+    # edit form) must also clear the auto-disable bookkeeping so the endpoint
+    # rejoins the `enabled` scope. `#enable!` handles this too, but we can't
+    # rely on every call site using it.
+    before_save :clear_disabled_state_when_reactivated
     self.whitelisted_ransackable_attributes = %w[name url active]
@@ -29,6 +35,17 @@ module Spree
     scope :inactive, -> { where(active: false) }
     scope :enabled, -> { active.where(disabled_at: nil) }
+    # Returns the plaintext `secret_key` only on the create response.
+    #
+    # `@reveal_secret_in_response` is set by the `after_create` callback above
+    # — a per-instance flag, not derived from `previous_changes`, so a reload
+    # or any subsequent save can't accidentally re-expose the secret.
+    #
+    # @return [String, nil]
+    def secret_key_for_response
+      @reveal_secret_in_response ? secret_key : nil
+    end
     # Number of consecutive failed deliveries before auto-disabling
     AUTO_DISABLE_THRESHOLD = 15
@@ -128,6 +145,13 @@ module Spree
       self.secret_key ||= SecureRandom.hex(32)
     end
+    def clear_disabled_state_when_reactivated
+      return unless will_save_change_to_active? && active
+      self.disabled_at = nil
+      self.disabled_reason = nil
+    end
     def url_must_not_resolve_to_private_ip
       uri = URI.parse(url)
       blacklist = SsrfFilter::IPV4_BLACKLIST + SsrfFilter::IPV6_BLACKLIST

data/app/models/spree/wished_item.rb CHANGED Viewed

@@ -16,19 +16,6 @@ module Spree
     validates :variant, uniqueness: { scope: [:wishlist] }
     validates :quantity, numericality: { only_integer: true, greater_than: 0 }
-    # This is a workaround to allow the variant_id to be set with a prefixed ID
-    # in the API.
-    #
-    # @param id [String] the prefixed ID of the variant
-    def variant_id=(id)
-      if id.to_s.include?('_')
-        decoded = Spree::Variant.decode_prefixed_id(id)
-        super(decoded)
-      else
-        super(id)
-      end
-    end
     def price(currency)
       variant.amount_in(currency[:currency])
     end

data/app/presenters/spree/csv/formula_sanitizer.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module Spree
+  module CSV
+    # Neutralizes CSV formula injection (CWE-1236 / OWASP "CSV Injection")
+    # by prefixing cells that would otherwise be evaluated as a formula
+    # when the exported file is opened in Excel, Google Sheets, LibreOffice,
+    # or Numbers.
+    #
+    # The leading apostrophe is the OWASP-recommended marker — spreadsheets
+    # render the cell as plain text without displaying the apostrophe.
+    module FormulaSanitizer
+      TRIGGERS = ["=", "+", "-", "@", "\t", "\r", "\n"].freeze
+      module_function
+      def cell(value)
+        return value unless value.is_a?(String)
+        return value if value.empty?
+        return value unless TRIGGERS.include?(value[0])
+        "'#{value}"
+      end
+      def row(values)
+        values.map { |v| cell(v) }
+      end
+    end
+  end
+end

data/app/presenters/spree/csv/product_variant_presenter.rb CHANGED Viewed

@@ -53,7 +53,7 @@ module Spree
         @index = index
         @properties = properties
         @taxons = taxons
-        @store = store || product.stores.first
+        @store = store || product.store
         @currency = currency || @store.default_currency
         @price_only = @currency != @store.default_currency
         @metafields = metafields
@@ -100,8 +100,8 @@ module Spree
           variant.dimensions_unit,
           variant.weight,
           variant.weight_unit,
-          variant.available_on&.strftime('%Y-%m-%d %H:%M:%S'),
-          (variant.discontinue_on || product.discontinue_on)&.strftime('%Y-%m-%d %H:%M:%S'),
+          publication_available_on&.strftime('%Y-%m-%d %H:%M:%S'),
+          (variant.discontinue_on || publication_discontinue_on)&.strftime('%Y-%m-%d %H:%M:%S'),
           variant.track_inventory?,
           total_on_hand == BigDecimal::INFINITY ? '∞' : total_on_hand,
           variant.backorderable?,
@@ -137,6 +137,26 @@ module Spree
       private
+      # Default-channel publication for the export's store. 5.5 transitional:
+      # fall back to the legacy Product columns when the publication dates are
+      # NULL (pre-backfill). 6.0 drops the Product-column fallback.
+      def default_publication
+        return @default_publication if defined?(@default_publication)
+        channel_id = store&.default_channel&.id
+        @default_publication = channel_id && product.product_publications.find do |p|
+          p.store_id == store.id && p.channel_id == channel_id
+        end
+      end
+      def publication_available_on
+        default_publication&.published_at || product.available_on
+      end
+      def publication_discontinue_on
+        default_publication&.unpublished_at || product.discontinue_on
+      end
       def price_only_row
         csv = Array.new(CSV_HEADERS.size)
         csv[CSV_HEADERS.index('sku')] = variant.sku

data/app/presenters/spree/search_provider/product_presenter.rb CHANGED Viewed

@@ -58,7 +58,8 @@ module Spree
           status: product.status,
           sku: product.sku,
           in_stock: product.in_stock?,
-          store_ids: product.store_ids.map(&:to_s),
+          store_ids: Array(product.store_id).map(&:to_s),
+          channel_ids: channel_ids_for_store,
           discontinue_on: product.discontinue_on&.to_i || 0,
           category_ids: category_ids_with_ancestors,
           category_names: product.taxons.map { |t| translated(t, :name, fallback_locale) },
@@ -67,7 +68,7 @@ module Spree
           option_value_ids: variant_option_value_ids,
           option_values: variant_option_values_data.map { |ov| translated(ov, :presentation, fallback_locale) }.uniq,
           tags: product.tag_list || [],
-          units_sold_count: product.store_products.find { |sp| sp.store_id == store.id }&.units_sold_count || 0,
+          units_sold_count: product.units_sold_count || 0,
           available_on: product.available_on&.iso8601,
           created_at: product.created_at&.iso8601,
           updated_at: product.updated_at&.iso8601
@@ -107,8 +108,14 @@ module Spree
         @compare_at_cache[currency]
       end
-      # Include ancestor category IDs so filtering by a parent category
-      # matches products classified under its descendants.
+      def channel_ids_for_store
+        @channel_ids_for_store ||= product.product_publications
+                                          .joins(:channel)
+                                          .where(spree_channels: { store_id: store.id })
+                                          .pluck(:channel_id)
+                                          .map(&:to_s)
+      end
       def category_ids_with_ancestors
         @category_ids_with_ancestors ||= product.taxons.flat_map { |t|
           t.self_and_ancestors.map(&:prefixed_id)

data/app/presenters/spree/variant_presenter.rb CHANGED Viewed

@@ -16,10 +16,11 @@ module Spree
     def call
       @variants.map do |variant|
+        price = variant.price_in(current_currency)
         {
-          display_price: display_price(variant),
-          price: variant.price_in(current_currency),
-          display_compare_at_price: display_compare_at_price(variant),
+          display_price: price.display_price_including_vat_for(current_price_options).to_html,
+          price: price,
+          display_compare_at_price: price.display_compare_at_price_including_vat_for(current_price_options).to_html,
           should_display_compare_at_price: should_display_compare_at_price?(variant),
           is_product_available_in_currency: @is_product_available_in_currency,
           backorderable: backorderable?(variant),