RubyGems - spree_core - Versions diffs - 5.4.3 → 5.5.0.rc1 - Mend

spree_core 5.4.3 → 5.5.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

checksums.yaml +4 -4
data/app/helpers/spree/base_helper.rb +0 -82
data/app/helpers/spree/currency_helper.rb +0 -12
data/app/helpers/spree/products_helper.rb +0 -8
data/app/jobs/spree/base_job.rb +18 -0
data/app/jobs/spree/events/subscriber_job.rb +2 -1
data/app/jobs/spree/exports/generate_job.rb +11 -0
data/app/jobs/spree/images/save_from_url_job.rb +23 -8
data/app/jobs/spree/imports/assign_tags_job.rb +11 -0
data/app/jobs/spree/imports/base_job.rb +15 -0
data/app/jobs/spree/imports/create_categories_job.rb +37 -0
data/app/jobs/spree/imports/create_rows_job.rb +1 -3
data/app/jobs/spree/imports/process_group_job.rb +8 -6
data/app/jobs/spree/imports/process_rows_job.rb +1 -3
data/app/jobs/spree/media/migrate_product_assets_job.rb +83 -0
data/app/jobs/spree/products/refresh_metrics_job.rb +15 -4
data/app/jobs/spree/reports/generate_job.rb +11 -0
data/app/jobs/spree/search_provider/index_job.rb +5 -1
data/app/jobs/spree/search_provider/remove_job.rb +4 -0
data/app/jobs/spree/stock_reservations/expire_job.rb +11 -0
data/app/models/concerns/spree/calculated_adjustments.rb +34 -1
data/app/models/concerns/spree/display_on.rb +31 -0
data/app/models/concerns/spree/metafields.rb +167 -5
data/app/models/concerns/spree/preference_schema.rb +191 -0
data/app/models/concerns/spree/prefixed_id.rb +94 -11
data/app/models/concerns/spree/product_scopes.rb +36 -17
data/app/models/concerns/spree/ransackable_attributes.rb +5 -1
data/app/models/concerns/spree/search_indexable.rb +8 -7
data/app/models/concerns/spree/searchable.rb +11 -2
data/app/models/concerns/spree/stores/channels.rb +20 -0
data/app/models/concerns/spree/stores/markets.rb +21 -5
data/app/models/concerns/spree/typed_associations.rb +120 -0
data/app/models/concerns/spree/user_methods.rb +71 -12
data/app/models/spree/ability.rb +4 -117
data/app/models/spree/api_key.rb +53 -0
data/app/models/spree/asset.rb +28 -5
data/app/models/spree/authentication/strategy_registry.rb +72 -0
data/app/models/spree/base.rb +18 -1
data/app/models/spree/channel.rb +159 -0
data/app/models/spree/country.rb +2 -0
data/app/models/spree/current.rb +5 -1
data/app/models/spree/custom_field.rb +9 -0
data/app/models/spree/custom_field_definition.rb +7 -0
data/app/models/spree/customer_group.rb +8 -2
data/app/models/spree/export.rb +30 -3
data/app/models/spree/gateway.rb +25 -0
data/app/models/spree/gift_card.rb +1 -1
data/app/models/spree/gift_card_batch.rb +4 -1
data/app/models/spree/import.rb +5 -0
data/app/models/spree/import_row.rb +12 -0
data/app/models/spree/line_item.rb +6 -1
data/app/models/spree/market.rb +32 -1
data/app/models/spree/metafield.rb +38 -0
data/app/models/spree/metafield_definition.rb +29 -6
data/app/models/spree/metafields/json.rb +10 -0
data/app/models/spree/newsletter_subscriber.rb +19 -3
data/app/models/spree/option_type.rb +48 -7
data/app/models/spree/order/checkout.rb +3 -3
data/app/models/spree/order.rb +102 -6
data/app/models/spree/order_approval.rb +19 -0
data/app/models/spree/order_cancellation.rb +19 -0
data/app/models/spree/order_routing/has_strategy_preference.rb +28 -0
data/app/models/spree/order_routing/rules/default_location.rb +16 -0
data/app/models/spree/order_routing/rules/minimize_splits.rb +45 -0
data/app/models/spree/order_routing/rules/preferred_location.rb +22 -0
data/app/models/spree/order_routing/strategy/base.rb +47 -0
data/app/models/spree/order_routing/strategy/legacy.rb +33 -0
data/app/models/spree/order_routing/strategy/reducer.rb +68 -0
data/app/models/spree/order_routing/strategy/rules.rb +81 -0
data/app/models/spree/order_routing_rule.rb +75 -0
data/app/models/spree/permission_sets/configuration_management.rb +16 -0
data/app/models/spree/permission_sets/product_display.rb +2 -0
data/app/models/spree/permission_sets/product_management.rb +2 -0
data/app/models/spree/price.rb +14 -1
data/app/models/spree/price_list.rb +129 -17
data/app/models/spree/price_rule.rb +11 -1
data/app/models/spree/price_rules/customer_group_rule.rb +15 -1
data/app/models/spree/price_rules/market_rule.rb +16 -1
data/app/models/spree/price_rules/user_rule.rb +21 -2
data/app/models/spree/product/channels.rb +149 -0
data/app/models/spree/product/legacy_multi_store_support.rb +40 -0
data/app/models/spree/product/slugs.rb +1 -1
data/app/models/spree/product.rb +172 -31
data/app/models/spree/product_publication.rb +43 -0
data/app/models/spree/promotion/actions/create_adjustment.rb +4 -0
data/app/models/spree/promotion/actions/create_item_adjustments.rb +4 -0
data/app/models/spree/promotion/actions/create_line_items.rb +32 -14
data/app/models/spree/promotion/rules/country.rb +40 -18
data/app/models/spree/promotion/rules/customer_group.rb +10 -1
data/app/models/spree/promotion/rules/product.rb +4 -0
data/app/models/spree/promotion/rules/taxon.rb +24 -1
data/app/models/spree/promotion/rules/user.rb +21 -0
data/app/models/spree/promotion/rules/user_logged_in.rb +6 -0
data/app/models/spree/promotion.rb +22 -1
data/app/models/spree/promotion_action.rb +17 -11
data/app/models/spree/promotion_rule.rb +17 -18
data/app/models/spree/search_provider/meilisearch.rb +12 -2
data/app/models/spree/stock/availability_validator.rb +1 -1
data/app/models/spree/stock/quantifier.rb +89 -9
data/app/models/spree/stock_item.rb +36 -0
data/app/models/spree/stock_location.rb +52 -0
data/app/models/spree/stock_reservation.rb +38 -0
data/app/models/spree/stock_reservations/insufficient_stock_error.rb +12 -0
data/app/models/spree/store.rb +18 -72
data/app/models/spree/store_credit.rb +0 -8
data/app/models/spree/store_product.rb +11 -23
data/app/models/spree/taxon.rb +0 -5
data/app/models/spree/user_identity.rb +1 -2
data/app/models/spree/variant.rb +132 -18
data/app/models/spree/variant_media.rb +46 -0
data/app/models/spree/webhook_delivery.rb +1 -1
data/app/models/spree/webhook_endpoint.rb +24 -0
data/app/models/spree/wished_item.rb +0 -13
data/app/presenters/spree/csv/product_variant_presenter.rb +23 -3
data/app/presenters/spree/search_provider/product_presenter.rb +11 -4
data/app/presenters/spree/variant_presenter.rb +4 -3
data/app/services/spree/addresses/update.rb +6 -8
data/app/services/spree/cart/add_item.rb +10 -0
data/app/services/spree/cart/empty.rb +2 -0
data/app/services/spree/cart/remove_line_item.rb +10 -0
data/app/services/spree/cart/remove_out_of_stock_items.rb +1 -1
data/app/services/spree/cart/set_quantity.rb +10 -0
data/app/services/spree/carts/complete.rb +1 -0
data/app/services/spree/carts/create.rb +1 -0
data/app/services/spree/carts/update.rb +18 -2
data/app/services/spree/carts/upsert_items.rb +6 -6
data/app/services/spree/imports/row_processors/customer.rb +4 -1
data/app/services/spree/imports/row_processors/product_variant.rb +95 -57
data/app/services/spree/newsletter/link_user.rb +53 -0
data/app/services/spree/newsletter/subscribe.rb +31 -9
data/app/services/spree/orders/approve.rb +27 -6
data/app/services/spree/orders/build_shipments.rb +29 -0
data/app/services/spree/orders/cancel.rb +34 -3
data/app/services/spree/orders/complete.rb +53 -0
data/app/services/spree/orders/create.rb +156 -0
data/app/services/spree/orders/update.rb +51 -0
data/app/services/spree/orders/upsert_items.rb +70 -0
data/app/services/spree/prices/bulk_upsert.rb +201 -0
data/app/services/spree/products/duplicator.rb +1 -1
data/app/services/spree/products/prepare_nested_attributes.rb +2 -30
data/app/services/spree/sample_data/loader.rb +30 -0
data/app/services/spree/stock_reservations/extend.rb +19 -0
data/app/services/spree/stock_reservations/release.rb +12 -0
data/app/services/spree/stock_reservations/reserve.rb +103 -0
data/app/services/spree/taxons/remove_products.rb +7 -1
data/app/subscribers/spree/product_metrics_subscriber.rb +3 -7
data/app/views/spree/invitation_mailer/invitation_email.html.erb +4 -0
data/config/locales/en.yml +27 -10
data/config/routes.rb +9 -0
data/db/migrate/20260429000001_create_spree_order_cancellations.rb +25 -0
data/db/migrate/20260429000002_create_spree_order_approvals.rb +22 -0
data/db/migrate/20260429000003_add_status_to_spree_orders.rb +6 -0
data/db/migrate/20260429000004_add_scopes_to_spree_api_keys.rb +11 -0
data/db/migrate/20260501000001_create_spree_stock_reservations.rb +19 -0
data/db/migrate/20260507162651_create_spree_variant_media.rb +23 -0
data/db/migrate/20260508175303_add_pickup_to_spree_stock_locations.rb +12 -0
data/db/migrate/20260508204040_create_spree_channels.rb +18 -0
data/db/migrate/20260508204041_create_spree_order_routing_rules.rb +18 -0
data/db/migrate/20260508204042_add_preferred_stock_location_to_spree_orders.rb +5 -0
data/db/migrate/20260508204043_add_channel_id_to_spree_orders.rb +10 -0
data/db/migrate/20260511000001_backfill_status_on_spree_orders.rb +57 -0
data/db/migrate/20260515000001_add_store_id_to_spree_newsletter_subscribers.rb +25 -0
data/db/migrate/20260529000001_add_unique_index_to_spree_price_rules.rb +41 -0
data/db/migrate/20260529000002_add_unique_index_to_spree_promotion_rules.rb +37 -0
data/db/migrate/20260601000001_create_spree_product_publications.rb +14 -0
data/db/migrate/20260601000002_add_store_id_to_spree_products.rb +16 -0
data/db/migrate/20260602000001_add_default_to_spree_channels.rb +14 -0
data/db/sample_data/channels.rb +12 -0
data/db/sample_data/orders.rb +1 -1
data/db/sample_data/products.csv +212 -212
data/lib/generators/spree/api_resource/api_resource_generator.rb +353 -0
data/lib/generators/spree/api_resource/templates/admin_controller.rb.tt +23 -0
data/lib/generators/spree/api_resource/templates/admin_controller_spec.rb.tt +59 -0
data/lib/generators/spree/api_resource/templates/admin_serializer.rb.tt +11 -0
data/lib/generators/spree/api_resource/templates/factory.rb.tt +26 -0
data/lib/generators/spree/api_resource/templates/store_aliased_serializer.rb.tt +12 -0
data/lib/generators/spree/api_resource/templates/store_controller.rb.tt +31 -0
data/lib/generators/spree/api_resource/templates/store_controller_spec.rb.tt +61 -0
data/lib/generators/spree/api_resource/templates/store_serializer.rb.tt +14 -0
data/lib/generators/spree/controller_decorator/controller_decorator_generator.rb +66 -0
data/lib/generators/spree/controller_decorator/templates/controller_decorator.rb.tt +25 -0
data/lib/generators/spree/model/model_generator.rb +73 -7
data/lib/generators/spree/model/templates/create_table_migration.rb.tt +40 -0
data/lib/generators/spree/model/templates/model.rb.tt +28 -2
data/lib/spree/core/configuration.rb +7 -0
data/lib/spree/core/controller_helpers/auth.rb +0 -12
data/lib/spree/core/controller_helpers/currency.rb +0 -17
data/lib/spree/core/controller_helpers/order.rb +0 -19
data/lib/spree/core/dependencies.rb +5 -2
data/lib/spree/core/engine.rb +54 -7
data/lib/spree/core/permission_configuration.rb +15 -0
data/lib/spree/core/preferences/masking.rb +47 -0
data/lib/spree/core/preferences/preferable_class_methods.rb +7 -1
data/lib/spree/core/version.rb +1 -1
data/lib/spree/core.rb +56 -5
data/lib/spree/permitted_attributes.rb +9 -7
data/lib/spree/testing_support/factories/address_factory.rb +16 -9
data/lib/spree/testing_support/factories/api_key_factory.rb +1 -0
data/lib/spree/testing_support/factories/channel_factory.rb +8 -0
data/lib/spree/testing_support/factories/line_item_factory.rb +2 -8
data/lib/spree/testing_support/factories/newsletter_subscriber_factory.rb +2 -0
data/lib/spree/testing_support/factories/product_factory.rb +16 -7
data/lib/spree/testing_support/factories/product_publication_factory.rb +6 -0
data/lib/spree/testing_support/factories/refresh_token_factory.rb +15 -0
data/lib/spree/testing_support/factories/stock_location_factory.rb +2 -2
data/lib/spree/testing_support/factories/stock_reservation_factory.rb +31 -0
data/lib/spree/testing_support/factories/variant_factory.rb +3 -3
data/lib/spree/testing_support/order_walkthrough.rb +1 -1
data/lib/spree/testing_support/store.rb +10 -0
data/lib/spree/upgrades/5_4_to_5_5/manifest.yml +53 -0
data/lib/tasks/channels.rake +94 -0
data/lib/tasks/core.rake +1 -0
data/lib/tasks/media.rake +27 -0
data/lib/tasks/products.rake +4 -6
data/lib/tasks/publications.rake +60 -0
data/lib/tasks/upgrade.rake +211 -0
metadata +83 -18
data/app/finders/spree/variants/visible_finder.rb +0 -23
data/app/paginators/spree/shared/paginate.rb +0 -30
data/app/presenters/spree/filters/price_presenter.rb +0 -23
data/app/presenters/spree/filters/price_range_presenter.rb +0 -30
data/app/presenters/spree/filters/quantified_price_range_presenter.rb +0 -45
data/app/presenters/spree/product_summary_presenter.rb +0 -27
data/app/presenters/spree/variants/options_presenter.rb +0 -82
data/app/services/spree/classifications/reposition.rb +0 -23
data/app/sorters/spree/orders/sort.rb +0 -10
data/lib/spree/core/controller_helpers/common.rb +0 -14
data/lib/spree/core/token_generator.rb +0 -23
data/lib/spree/database_type_utilities.rb +0 -22
data/lib/spree/testing_support/bar_ability.rb +0 -14
data/lib/spree/testing_support/factories/store_product_factory.rb +0 -6

data/app/models/concerns/spree/metafields.rb CHANGED Viewed

@@ -40,6 +40,27 @@ module Spree
         super(attributes)
       end
+      # API-facing alias for the 6.0 rename (`5.4-6.0-custom-fields-rename.md`):
+      # callers see "custom fields" everywhere even though the underlying
+      # tables/columns still use `metafield*`. Reached via flat params on the
+      # admin API v3 (`custom_fields: [...]`); also works through
+      # `Model.new(permitted_params)` since Rails routes the key to this writer.
+      #
+      # Upsert semantics by `custom_field_definition_id`: existing entries
+      # for the same definition are updated, missing entries are created.
+      # Partial: definitions NOT in the array are left untouched, so the
+      # client can patch one field at a time without resending the rest.
+      # Blank values on an existing metafield destroy it (mirrors the dedicated
+      # endpoint's behavior via `metafields_attributes=`).
+      def custom_fields=(attributes)
+        return if attributes.blank?
+        return super(attributes) if attributes.first.is_a?(Spree::Metafield)
+        assign_custom_field_attrs(attributes)
+      end
+      after_save :apply_pending_custom_fields, if: -> { @pending_custom_field_attrs.present? }
       scope :with_metafield_key, ->(key_with_namespace) {
         namespace, key = extract_namespace_and_key(key_with_namespace)
         joins(metafields: :metafield_definition).where(spree_metafield_definitions: { namespace: namespace, key: key })
@@ -56,11 +77,44 @@ module Spree
         self.class.extract_namespace_and_key(key_with_namespace)
       end
-      def set_metafield(key_with_namespace, value)
-        namespace, key = extract_namespace_and_key(key_with_namespace)
-        metafield_definition = Spree::MetafieldDefinition.find_or_create_by!(namespace: namespace, key: key, resource_type: self.class.name)
+      # Upsert a single custom field value on this resource. The first
+      # argument locates the definition by any of:
+      #
+      # - `"namespace.key"` string — auto-creates the definition if missing
+      #   (backend-internal callers that don't know the id upfront).
+      # - {Spree::MetafieldDefinition} instance.
+      # - Integer / numeric String — raw definition id.
+      # - Prefixed-id String (`"cfdef_..."`) — decoded to the definition id.
+      #
+      # Blank values (nil or empty/whitespace string) destroy any existing
+      # metafield for the definition. Empty containers (`[]`, `{}`) and
+      # numeric / boolean falsy values are real values, not blanks.
+      #
+      # @param definition_or_key [String, Integer, Spree::MetafieldDefinition]
+      # @param value [Object] the value to persist; type is enforced by the
+      #   typed metafield subclass (Boolean, Number, Json, ShortText, …).
+      # @return [Spree::Metafield, nil] the persisted metafield, or nil when
+      #   the value was blank and any existing row was destroyed.
+      # @raise [ArgumentError] if `definition_or_key` doesn't resolve to a
+      #   known definition.
+      def set_metafield(definition_or_key, value)
+        definition_id = resolve_metafield_definition_id(definition_or_key)
+        metafield = metafields.find_or_initialize_by(metafield_definition_id: definition_id)
+        if value_blank?(value)
+          metafield.destroy if metafield.persisted?
+          return nil
+        end
+        # JSON metafields store canonical JSON in the underlying text column.
+        # Coerce Hash/Array values BEFORE assignment, since the STI subclass
+        # (`Spree::Metafields::Json`) isn't switched on until before_validation,
+        # so its custom `value=` writer doesn't run yet on a fresh
+        # `find_or_initialize_by` record.
+        if (value.is_a?(Hash) || value.is_a?(Array)) &&
+           metafield.metafield_definition&.metafield_type == 'Spree::Metafields::Json'
+          value = value.to_json
+        end
-        metafield = metafields.find_or_initialize_by(metafield_definition: metafield_definition)
         metafield.value = value
         metafield.save!
         metafield
@@ -86,8 +140,116 @@ module Spree
       private
+      # Decide whether a metafield value should trigger the destroy-existing
+      # branch. Ruby's `blank?` reports `false`, `0`, `[]`, `{}` as blank, but
+      # for typed metafields those are real values:
+      #
+      # - Boolean `false` / Numeric `0` — real values, never destroy.
+      # - Empty Array / Hash — a JSON metafield storing `[]` or `{}` is a
+      #   meaningful value (an empty list / object), not a clear signal.
+      #
+      # Only `nil` and empty/whitespace strings count as "missing".
+      #
+      # @param value [Object]
+      # @return [Boolean]
       def value_blank?(value)
-        value.blank?
+        return true if value.nil?
+        return value.strip.empty? if value.is_a?(String)
+        false
+      end
+      def assign_custom_field_attrs(attributes)
+        if new_record?
+          # Persisting metafields requires a persisted parent (resource_id NOT
+          # NULL). Stash the attrs and replay them after the parent is saved.
+          @pending_custom_field_attrs = attributes
+          return
+        end
+        apply_custom_field_attrs(attributes)
+      end
+      def apply_pending_custom_fields
+        attrs = @pending_custom_field_attrs
+        @pending_custom_field_attrs = nil
+        apply_custom_field_attrs(attrs)
+      end
+      def apply_custom_field_attrs(attributes)
+        attributes = attributes.values if attributes.is_a?(Hash)
+        attributes.each_with_index do |raw, index|
+          attrs = raw.respond_to?(:to_h) ? raw.to_h : raw
+          attrs = attrs.with_indifferent_access
+          definition_id = attrs[:metafield_definition_id] || attrs[:custom_field_definition_id]
+          next if definition_id.blank?
+          begin
+            set_metafield(definition_id, attrs[:value])
+          rescue ArgumentError => e
+            # Convert an unknown / malformed definition id into a field-level
+            # validation error so the controller returns 422 with structured
+            # `details`, instead of leaking ArgumentError as a 400/500.
+            errors.add("custom_fields[#{index}].custom_field_definition_id", e.message)
+            raise ActiveRecord::RecordInvalid, self
+          end
+        end
+      end
+      # Resolve any of the supported reference shapes to a raw definition id.
+      # See {#set_metafield} for the accepted shapes.
+      #
+      # @param definition_or_key [String, Integer, Spree::MetafieldDefinition]
+      # @return [Integer, String] the definition's primary key value (Integer
+      #   for legacy integer-id setups, String for UUID setups).
+      # @raise [ArgumentError] for unknown / malformed input.
+      def resolve_metafield_definition_id(definition_or_key)
+        case definition_or_key
+        when Spree::MetafieldDefinition
+          definition_or_key.id
+        when Integer
+          definition_or_key
+        when String
+          resolve_metafield_definition_id_from_string(definition_or_key)
+        else
+          raise ArgumentError, "Invalid definition_or_key: #{definition_or_key.inspect}"
+        end
+      end
+      # @param value [String] one of: `"namespace.key"`, a prefixed id
+      #   (`"cfdef_..."`), or a bare numeric id (`"42"`).
+      # @return [Integer, String] the resolved definition's primary key value.
+      # @raise [ArgumentError] if the string doesn't match any known shape.
+      def resolve_metafield_definition_id_from_string(value)
+        # `"namespace.key"` — backend-internal callers that don't know the id;
+        # auto-create the definition if missing.
+        if value.include?('.')
+          namespace, key = extract_namespace_and_key(value)
+          return Spree::MetafieldDefinition.find_or_create_by!(
+            namespace: namespace, key: key, resource_type: self.class.name
+          ).id
+        end
+        # Prefixed id (`"cfdef_..."`/`"mfd_..."`). Use the canonical predicate
+        # so single-segment names with underscores (e.g. `"product_specs"`)
+        # don't get mistaken for prefixed ids. We must verify the decoded id
+        # actually exists — Sqids will happily decode any all-lowercase
+        # alphanumeric string to a phantom integer; without the existence
+        # check `find_or_initialize_by(metafield_definition_id: phantom_id)`
+        # would later raise a confusing "Metafield definition must exist"
+        # 422 instead of an "unknown id" 422.
+        if Spree::PrefixedId.prefixed_id?(value)
+          decoded = Spree::MetafieldDefinition.decode_prefixed_id(value)
+          existing = decoded && Spree::MetafieldDefinition.find_by(id: decoded)
+          raise ArgumentError, "Unknown metafield definition id: #{value.inspect}" if existing.nil?
+          return existing.id
+        end
+        # Bare numeric id ("42"). Reject anything else outright.
+        raise ArgumentError, "Invalid metafield definition reference: #{value.inspect}" unless /\A\d+\z/.match?(value)
+        value.to_i
       end
     end
   end

data/app/models/concerns/spree/preference_schema.rb ADDED Viewed

@@ -0,0 +1,191 @@
+module Spree
+  # Adds class-level helpers that surface a JSON-friendly description of
+  # a `Preferable` class's `preference :name, :type, default:` declarations.
+  #
+  # Used by the admin API (`/payment_methods/types`, `/promotion_actions/types`,
+  # `/promotion_rules/types`) so that admin UIs can render configuration forms
+  # for any provider/action/rule subclass without hard-coding field lists.
+  module PreferenceSchema
+    extend ActiveSupport::Concern
+    delegate :preference_schema, :serialized_preference_schema, :password_preference_keys, to: :class
+    # Wire-safe view of `preferences` with `:password`-typed values
+    # masked. Lives here (not in the serializer) so any consumer holding
+    # a Preferable instance gets the same safety guarantee — secrets
+    # must never leave the server in plaintext. Keys are stringified to
+    # match the wire shape expected by JSON clients.
+    #
+    # @return [Hash{String => Object}]
+    def serialized_preferences
+      Spree::Preferences::Masking.serialize(self)
+    end
+    class_methods do
+      # Returns `[{ key:, type:, default: }]` for every preference declared
+      # on this class (and its ancestors). Skips deprecated preferences.
+      #
+      # Memoized at class load — the schema is derived from the static
+      # `preference :name, :type` declarations, so it can never change at
+      # runtime. Each entry also caches `key_string` (frozen) so hot-path
+      # serializers don't allocate `pref.to_s` per request.
+      def preference_schema
+        @preference_schema ||= compute_preference_schema
+      end
+      # Wire-safe variant of `preference_schema` with `:password`
+      # defaults nilled out. A gateway author can set a non-empty
+      # default for a `:password` preference; without this redaction the
+      # default leaks alongside the masked live value. Memoized so admin
+      # index responses don't re-allocate per row.
+      #
+      # Strips `:key_string` — that's a server-only cache used by
+      # `Masking.serialize` to avoid `to_s` allocations per request, not
+      # part of the documented `{ key, type, default }` wire shape.
+      def serialized_preference_schema
+        @serialized_preference_schema ||= preference_schema.map do |field|
+          wire = { key: field[:key], type: field[:type], default: field[:default] }
+          wire[:default] = nil if field[:type] == :password
+          wire.freeze
+        end.freeze
+      end
+      # Set of `:password`-typed preference keys for this class. Memoized
+      # so write-side guards (e.g. the masked-round-trip check) don't
+      # walk the schema or fall back to a `rescue NoMethodError`.
+      def password_preference_keys
+        @password_preference_keys ||= preference_schema
+                                      .each_with_object(Set.new) { |field, set| set << field[:key] if field[:type] == :password }
+                                      .freeze
+      end
+      def compute_preference_schema
+        instance = new
+        instance.defined_preferences.filter_map do |pref|
+          next if instance.preference_deprecated(pref)
+          {
+            key: pref,
+            key_string: pref.to_s.freeze,
+            type: instance.preference_type(pref),
+            default: safe_preference_default(instance, pref)
+          }.freeze
+        end
+      rescue StandardError
+        []
+      end
+      # Builds a `parse_on_set:` lambda for `preference :foo_ids, :array`
+      # declarations that accept prefixed IDs (e.g. `cg_…`, `mkt_…`) from
+      # the API. Splits comma-separated entries, strips whitespace, and
+      # decodes any prefixed IDs to raw IDs so eligibility checks compare
+      # against `belongs_to` foreign keys directly.
+      #
+      # When `klass` is nil, prefixed-ID decoding is skipped — used for
+      # ISO/string-keyed preferences where the value is the identifier
+      # (e.g. country `:country_isos`).
+      #
+      # When `scope:` is given, the existence check runs through the
+      # scope relation derived from the owning record — prevents a
+      # rule from being persisted with IDs that belong to another
+      # store (e.g. a Market rule referencing markets from a different
+      # store). The proc receives the rule instance.
+      #
+      # @param klass [Class<Spree::Base>, nil] AR class used to resolve
+      #   prefixed IDs via Sqids decoding + a single existence check.
+      # @param scope [Proc, nil] optional `->(rule) { rule.price_list.store.markets }`
+      #   relation builder; defaults to the unscoped `klass`.
+      # @return [Proc] suitable for the `parse_on_set:` preference option.
+      def normalize_id_preference(klass: nil, scope: nil)
+        lambda do |values, owner = nil|
+          raw = Array(values).flat_map { |v| v.to_s.split(',') }.compact_blank.map(&:strip)
+          next raw unless klass
+          decoded = raw.map do |v|
+            Spree::PrefixedId.prefixed_id?(v) ? Spree::PrefixedId.decode_prefixed_id(v).to_s : v
+          end
+          relation = scope && owner ? scope.call(owner) : klass
+          found = relation.where(id: decoded).pluck(:id).map(&:to_s).to_set
+          missing = decoded.reject { |id| found.include?(id) }
+          raise ActiveRecord::RecordNotFound.new(
+            "Couldn't find #{klass.name} with id=#{missing.join(',')}", klass.name
+          ) if missing.any?
+          decoded
+        end
+      end
+      # Resolve a wire-format shorthand back to its registered subclass.
+      # Returns nil for unknown shorthands. Lookup is registry-driven so
+      # removed/foreign subclasses can't be smuggled in.
+      def find_by_api_type(shorthand)
+        return nil if shorthand.blank?
+        registered_subclasses.find { |klass| klass.api_type == shorthand.to_s }
+      end
+      # Returns a `[{ type:, label:, description:, preference_schema: }]`
+      # array for every concrete subclass in `subclasses`. Sorted by label
+      # for stable output. Uses `serialized_preference_schema` so
+      # `:password` defaults are redacted — `/types` is an unauthenticated
+      # discovery surface and must never leak gateway-shipped defaults.
+      def subclasses_with_preference_schema
+        registered_subclasses.map do |klass|
+          {
+            type: klass.api_type,
+            label: subclass_label(klass),
+            description: klass.respond_to?(:description) ? klass.description : nil,
+            preference_schema: klass.respond_to?(:serialized_preference_schema) ? klass.serialized_preference_schema : []
+          }
+        end.sort_by { |entry| entry[:label] }
+      end
+      # STI subclasses share the parent's `model_name`, so calling
+      # `klass.model_name.human` would return "Payment Method" for every
+      # entry. Subclasses can override by defining a class-level
+      # `display_name`. Otherwise:
+      #
+      #   Spree::PaymentMethod::Check       → "Check"
+      #   Spree::Gateway::Bogus             → "Bogus"
+      #   SpreeStripe::Gateway              → "Stripe"
+      #   SpreeAdyen::Gateway               → "Adyen"
+      #
+      # The "Gateway" branch handles the gem convention where each
+      # provider gem ships a top-level `Gateway` class (so demodulize
+      # would collapse them all to "Gateway"). Fall back to the outer
+      # module, with a leading `Spree` namespace stripped.
+      def subclass_label(klass)
+        return klass.display_name if klass.respond_to?(:display_name) && klass.display_name.present?
+        return klass.human_name if klass.respond_to?(:human_name) && klass.human_name.present?
+        leaf = klass.to_s.demodulize
+        return leaf.titleize unless leaf == 'Gateway'
+        outer = klass.to_s.split('::').first.to_s
+        outer.delete_prefix('Spree').presence&.titleize || leaf.titleize
+      end
+      private
+      # Each STI parent (PaymentMethod, PromotionAction, PromotionRule)
+      # already exposes its registry — we just route to the right one.
+      # Override in the including class to add support for custom parents.
+      def registered_subclasses
+        return providers if respond_to?(:providers)
+        return Spree.promotions.actions if name == 'Spree::PromotionAction'
+        return Spree.promotions.rules if name == 'Spree::PromotionRule'
+        []
+      end
+      # Defaults can be Procs that hit the database (e.g. `Spree::Store.default`);
+      # those aren't safe to evaluate at request time, so we stringify them.
+      def safe_preference_default(instance, pref)
+        instance.preference_default(pref)
+      rescue StandardError
+        nil
+      end
+    end
+  end
+end

data/app/models/concerns/spree/prefixed_id.rb CHANGED Viewed

@@ -20,6 +20,35 @@ module Spree
       class_attribute :_prefix_id_prefix, instance_writer: false
     end
+    # Automatically resolve prefixed ID strings for belongs_to foreign keys.
+    # e.g., product.assign_attributes(tax_category_id: "tc_86Rf07xd4z") will
+    # decode the prefixed ID to the integer primary key.
+    def assign_attributes(new_attributes)
+      return super if new_attributes.blank?
+      attrs = new_attributes.to_h
+      needs_resolution = attrs.any? do |key, value|
+        key_s = key.to_s
+        (value.is_a?(String) && key_s.end_with?('_id') && Spree::PrefixedId.prefixed_id?(value)) ||
+          (value.is_a?(Array) && key_s.end_with?('_ids') && value.any? { |v| Spree::PrefixedId.prefixed_id?(v) })
+      end
+      return super unless needs_resolution
+      resolved = attrs.each_with_object({}.with_indifferent_access) do |(key, value), hash|
+        key_s = key.to_s
+        if value.is_a?(String) && key_s.end_with?('_id') && Spree::PrefixedId.prefixed_id?(value)
+          hash[key] = self.class.resolve_prefixed_id_for_attribute(key_s, value)
+        elsif value.is_a?(Array) && key_s.end_with?('_ids')
+          hash[key] = self.class.resolve_prefixed_ids_for_attribute(key_s, value)
+        else
+          hash[key] = value
+        end
+      end
+      super(resolved)
+    end
     # Returns the Stripe-style prefixed ID, or nil for unsaved records.
     def prefixed_id
       return nil unless id.present?
@@ -36,35 +65,89 @@ module Spree
       prefixed_id.presence || super
     end
+    # Module-level methods for use without a model context (e.g., from ParamsNormalizer)
+    def self.prefixed_id?(value)
+      value.is_a?(String) && value.match?(/\A[a-z]+_[a-zA-Z0-9]+\z/)
+    end
+    def self.decode_prefixed_id(prefixed_id_string)
+      return nil if prefixed_id_string.blank?
+      parts = prefixed_id_string.to_s.split('_', 2)
+      return nil if parts.length != 2
+      _prefix, encoded = parts
+      ids = SQIDS.decode(encoded)
+      ids.first
+    end
     class_methods do
       def has_prefix_id(prefix)
         self._prefix_id_prefix = prefix.to_s
       end
+      def prefixed_id?(value)
+        Spree::PrefixedId.prefixed_id?(value)
+      end
+      # Memoized map of foreign_key → belongs_to reflection for prefixed ID resolution.
+      def belongs_to_reflections_by_fk
+        @belongs_to_reflections_by_fk ||= reflect_on_all_associations(:belongs_to)
+          .reject(&:polymorphic?)
+          .index_by { |a| a.foreign_key.to_s }
+      end
+      # Resolve a prefixed ID string for a belongs_to foreign key attribute.
+      # Uses the association's target class to validate the record exists.
+      # Only resolves when a matching belongs_to association exists — columns
+      # like external_id that happen to end with _id are left untouched.
+      # Resolves aliased FKs (via alias_attribute) to their canonical name.
+      def resolve_prefixed_id_for_attribute(attribute_name, prefixed_id_value)
+        canonical_name = attribute_aliases[attribute_name] || attribute_name
+        reflection = belongs_to_reflections_by_fk[canonical_name]
+        if reflection
+          reflection.klass.find_by_param!(prefixed_id_value).id
+        else
+          prefixed_id_value
+        end
+      end
+      # Resolve an array of prefixed IDs for a has_many _ids setter.
+      # Infers the target class from the association name (e.g., taxon_ids → taxons → Spree::Taxon).
+      # Only resolves when a matching association exists.
+      def resolve_prefixed_ids_for_attribute(attribute_name, values)
+        association_name = attribute_name.sub(/_ids$/, '').pluralize
+        reflection = reflect_on_association(association_name.to_sym)
+        klass = reflection&.klass
+        return values unless klass
+        values.map do |v|
+          if Spree::PrefixedId.prefixed_id?(v)
+            klass.find_by_param!(v).id
+          else
+            v
+          end
+        end
+      end
       def find_by_prefix_id!(prefixed_id)
-        decoded = decode_prefixed_id(prefixed_id)
+        decoded = Spree::PrefixedId.decode_prefixed_id(prefixed_id)
         raise ActiveRecord::RecordNotFound.new("Couldn't find #{name} with prefixed id=#{prefixed_id}", name) unless decoded
         find(decoded)
       end
       def find_by_prefix_id(prefixed_id)
-        decoded = decode_prefixed_id(prefixed_id)
+        decoded = Spree::PrefixedId.decode_prefixed_id(prefixed_id)
         return nil unless decoded
         find_by(id: decoded)
       end
-      # Decode a prefixed ID string (e.g., "prod_86Rf07xd4z") to the integer primary key.
       def decode_prefixed_id(prefixed_id_string)
-        return nil if prefixed_id_string.blank?
-        parts = prefixed_id_string.to_s.split('_', 2)
-        return nil if parts.length != 2
-        _prefix, encoded = parts
-        ids = Spree::PrefixedId::SQIDS.decode(encoded)
-        ids.first
+        Spree::PrefixedId.decode_prefixed_id(prefixed_id_string)
       end
       # Find by prefixed ID first, falling back to integer id for backwards compatibility.

data/app/models/concerns/spree/product_scopes.rb CHANGED Viewed

@@ -286,11 +286,12 @@ module Spree
       }
       def self.not_discontinued(only_not_discontinued = true)
-        if only_not_discontinued != '0' && only_not_discontinued
-          where(discontinue_on: [nil, Time.current.beginning_of_minute..])
-        else
-          all
-        end
+        return all if only_not_discontinued == '0' || !only_not_discontinued
+        channel = Spree::Current.channel
+        return where(discontinue_on: [nil, Time.current.beginning_of_minute..]) unless channel
+        for_channel(channel).where(Spree::ProductPublication.table_name => { unpublished_at: [nil, Time.current.beginning_of_minute..] })
       end
       def self.with_currency(currency)
@@ -300,11 +301,26 @@ module Spree
           distinct
       end
+      # @param available_on [Time, nil] cutoff for the published_at filter.
+      #   When passed, products are only included if their current-channel
+      #   publication's +published_at+ is at or before this time. When +nil+,
+      #   published_at is not filtered — matches legacy semantics where
+      #   +.available+ without args returned future-dated products too.
+      # @param currency [String, nil] currency to require a price in; nil
+      #   falls back to the default store's default currency.
       def self.available(available_on = nil, currency = nil)
+        cutoff = available_on
+        cutoff = cutoff.beginning_of_minute if cutoff.respond_to?(:beginning_of_minute)
         scope = not_discontinued.where(status: 'active')
-        if available_on
-          available_on = available_on.beginning_of_minute if available_on.respond_to?(:beginning_of_minute)
-          scope = scope.where("#{Product.quoted_table_name}.available_on <= ?", available_on)
+        if cutoff
+          scope = if (channel = Spree::Current.channel)
+                    scope.for_channel(channel)
+                         .where(Spree::ProductPublication.table_name => { published_at: [nil, ..cutoff] })
+                  else
+                    scope.where(Product.table_name => { available_on: ..cutoff })
+                  end
         end
         unless Spree::Config.show_products_without_price
@@ -315,6 +331,10 @@ module Spree
         scope
       end
+      def self.for_channel(channel)
+        joins(:product_publications).where(Spree::ProductPublication.table_name => { channel_id: channel.id })
+      end
       def self.active(currency = nil)
         available(nil, currency)
       end
@@ -343,19 +363,18 @@ module Spree
         group('spree_products.id').joins(:taxons).where(Taxon.arel_table[:name].eq(name))
       end
-      # Orders products by best selling based on units_sold_count and revenue
-      # from spree_products_stores (already joined via store.products).
-      #
-      # Uses Arel::Nodes::As so that ORDER BY expressions appear in SELECT
-      # and work with DISTINCT (same pattern as the price sorting scopes).
+      # Orders products by best-selling metrics (+units_sold_count+, +revenue+)
+      # tracked directly on +spree_products+. Uses Arel::Nodes::As so that
+      # ORDER BY expressions appear in SELECT and work with DISTINCT (same
+      # pattern as the price sorting scopes).
       scope :by_best_selling, ->(order_direction = :desc) {
-        sp_table = StoreProduct.table_name
-        units_expr = Arel.sql("COALESCE(#{sp_table}.units_sold_count, 0)")
-        revenue_expr = Arel.sql("COALESCE(#{sp_table}.revenue, 0)")
+        p_table = Product.table_name
+        units_expr = Arel.sql("COALESCE(#{p_table}.units_sold_count, 0)")
+        revenue_expr = Arel.sql("COALESCE(#{p_table}.revenue, 0)")
         order_dir = order_direction == :desc ? :desc : :asc
-        select("#{Product.table_name}.*").
+        select("#{p_table}.*").
           select(Arel::Nodes::As.new(units_expr, Arel.sql('best_selling_units'))).
           select(Arel::Nodes::As.new(revenue_expr, Arel.sql('best_selling_revenue'))).
           order(units_expr.send(order_dir)).

data/app/models/concerns/spree/ransackable_attributes.rb CHANGED Viewed

@@ -6,7 +6,11 @@ module Spree::RansackableAttributes
     class_attribute :whitelisted_ransackable_scopes
     class_attribute :default_ransackable_attributes
-    self.default_ransackable_attributes = %w[id name updated_at created_at]
+    # `position` is included so any `acts_as_list` model is sortable by it
+    # without each subclass having to opt in. Ransack ignores attributes
+    # the model doesn't actually expose, so this is a no-op for tables
+    # without a position column.
+    self.default_ransackable_attributes = %w[id name updated_at created_at position]
     def self.ransackable_associations(*_args)
       base = whitelisted_ransackable_associations || []

data/app/models/concerns/spree/search_indexable.rb CHANGED Viewed

@@ -68,14 +68,15 @@ module Spree
       false
     end
+    # Stores against which this record should be indexed/removed. By default
+    # we use the record's own +store_id+ (Product, Customer, Order, …). The
+    # multi-store extension overrides this to fan out across every store the
+    # record is attached to. Falling back to +Spree::Store.default+ covers
+    # records like categories/taxonomies that don't have a +store_id+ column.
     def store_ids_for_indexing
-      if respond_to?(:store_ids)
-        store_ids
-      elsif respond_to?(:store_id)
-        [store_id].compact
-      else
-        Spree::Store.pluck(:id)
-      end
+      return [store_id] if respond_to?(:store_id) && store_id.present?
+      Array(Spree::Store.default&.id)
     end
   end
 end

data/app/models/concerns/spree/searchable.rb CHANGED Viewed

@@ -11,9 +11,18 @@ module Spree
         encrypted_attributes = model_class.encrypted_attributes.presence || []
         if encrypted_attributes.include?(attribute.to_sym)
-          model_class.arel_table[attribute.to_sym].eq(query)
+          # Encrypted columns can only be compared by equality — wildcard
+          # LIKE escapes would prevent the row from matching itself, so pass
+          # the raw query straight through.
+          model_class.arel_table[attribute.to_sym].eq(query.to_s.strip)
         else
-          model_class.arel_table[attribute.to_sym].lower.matches("%#{query}%")
+          # Plain columns use case-insensitive LIKE. `sanitize_sql_like`
+          # escapes `_` and `%` so a query like `john_doe@example.com`
+          # doesn't have its underscore treated as a wildcard matching
+          # `john.doe@example.com`. Pass `\` as the ESCAPE character so
+          # SQLite/MySQL honor the escaping.
+          escaped = sanitize_query_for_search(query)
+          model_class.arel_table[attribute.to_sym].lower.matches("%#{escaped}%", '\\')
         end
       end