spree_core 4.10.1 → 4.10.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/models/spree/ability.rb +2 -1
- data/app/services/spree/checkout/update.rb +24 -0
- data/config/locales/en.yml +1 -0
- data/lib/spree/core/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5a3f970e11df3f92c53436155f90c3d5e10ee3f8dbac77c15096b5b69f23e1a1
|
|
4
|
+
data.tar.gz: 8b0487012673c1da44270b625b22af7ab74a2bc3db16ead5ccf0bd1ac514a3bd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6f28e8ac4fbb702c5ff5764d18976b5246bf5d2f89659e3068e2df99e0ec5aa422e8ca7e719e0f724a70bcb9b973ef30b82a6ae4acbe2980b346092bccd6009b
|
|
7
|
+
data.tar.gz: deab9f6152ded24ae86ec5bff925a0858f17d13d372d0a769cff47dc38c469d66fff8ad58931e59d1eac959f78ef8a62d7c4521ca618ecb38cccef7169f1a265
|
data/app/models/spree/ability.rb
CHANGED
|
@@ -73,7 +73,8 @@ module Spree
|
|
|
73
73
|
can :update, ::Spree::Order do |order, token|
|
|
74
74
|
!order.completed? && (order.user == user || order.token && token == order.token)
|
|
75
75
|
end
|
|
76
|
-
|
|
76
|
+
# Address management - only for persisted users with matching user_id
|
|
77
|
+
can :manage, ::Spree::Address, user_id: user.id if user.persisted?
|
|
77
78
|
can [:read, :destroy], ::Spree::CreditCard, user_id: user.id
|
|
78
79
|
can :read, ::Spree::Product
|
|
79
80
|
can :read, ::Spree::ProductProperty
|
|
@@ -5,6 +5,10 @@ module Spree
|
|
|
5
5
|
include Spree::Addresses::Helper
|
|
6
6
|
|
|
7
7
|
def call(order:, params:, permitted_attributes:, request_env:)
|
|
8
|
+
# Validate address ownership to prevent IDOR attacks
|
|
9
|
+
address_ownership_error = validate_address_ownership(order, params)
|
|
10
|
+
return failure(order, address_ownership_error) if address_ownership_error
|
|
11
|
+
|
|
8
12
|
ship_changed = address_with_country_iso_present?(params, 'ship')
|
|
9
13
|
bill_changed = address_with_country_iso_present?(params, 'bill')
|
|
10
14
|
params[:order][:ship_address_attributes] = replace_country_iso_with_id(params[:order][:ship_address_attributes]) if ship_changed
|
|
@@ -18,6 +22,26 @@ module Spree
|
|
|
18
22
|
|
|
19
23
|
private
|
|
20
24
|
|
|
25
|
+
def validate_address_ownership(order, params)
|
|
26
|
+
return nil unless params[:order]
|
|
27
|
+
|
|
28
|
+
%w[bill ship].each do |address_kind|
|
|
29
|
+
address_id = params[:order].dig("#{address_kind}_address_attributes".to_sym, :id)
|
|
30
|
+
next unless address_id
|
|
31
|
+
|
|
32
|
+
address = Spree::Address.find_by(id: address_id)
|
|
33
|
+
next unless address
|
|
34
|
+
|
|
35
|
+
# Allow if address has no user (guest address) or belongs to the order's user
|
|
36
|
+
next if address.user_id.nil?
|
|
37
|
+
next if order.user_id.present? && address.user_id == order.user_id
|
|
38
|
+
|
|
39
|
+
return Spree.t(:address_not_owned_by_user)
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
nil
|
|
43
|
+
end
|
|
44
|
+
|
|
21
45
|
def address_with_country_iso_present?(params, address_kind = 'ship')
|
|
22
46
|
return false unless params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_iso)
|
|
23
47
|
return false if params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_id)
|
data/config/locales/en.yml
CHANGED
|
@@ -548,6 +548,7 @@ en:
|
|
|
548
548
|
successfully_updated: "Updated successfully"
|
|
549
549
|
unsuccessfully_updated: "There was an update while trying to update your address."
|
|
550
550
|
save: "Save"
|
|
551
|
+
address_not_owned_by_user: The specified address does not belong to this user.
|
|
551
552
|
adjustable: Adjustable
|
|
552
553
|
adjustment: Adjustment
|
|
553
554
|
adjustment_amount: Amount
|
data/lib/spree/core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spree_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.10.
|
|
4
|
+
version: 4.10.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sean Schofield
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2026-01-08 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: actionpack
|
|
@@ -1165,9 +1165,9 @@ licenses:
|
|
|
1165
1165
|
- BSD-3-Clause
|
|
1166
1166
|
metadata:
|
|
1167
1167
|
bug_tracker_uri: https://github.com/spree/spree/issues
|
|
1168
|
-
changelog_uri: https://github.com/spree/spree/releases/tag/v4.10.
|
|
1168
|
+
changelog_uri: https://github.com/spree/spree/releases/tag/v4.10.2
|
|
1169
1169
|
documentation_uri: https://docs.spreecommerce.org/
|
|
1170
|
-
source_code_uri: https://github.com/spree/spree/tree/v4.10.
|
|
1170
|
+
source_code_uri: https://github.com/spree/spree/tree/v4.10.2
|
|
1171
1171
|
post_install_message:
|
|
1172
1172
|
rdoc_options: []
|
|
1173
1173
|
require_paths:
|