spree_core 5.1.8 → 5.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/models/spree/ability.rb +2 -1
- data/app/services/spree/checkout/update.rb +24 -0
- data/config/locales/en.yml +1 -0
- data/lib/spree/core/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b1748c4271482ee3e96c5906e46485ac20338b04bebd95afd212c745057c8e8c
|
|
4
|
+
data.tar.gz: 9b09bdfee4bab45b6459ae45613fb7ab5cbc954a35c4faf068af8d6307cd3c49
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0ead21adfcd25154f5bd90ecc61fed2fc698d3b6732f6b32338428528fc5b56ed84592fd8f758f04286cf75bc0db42cc05ea68eb8e3760bd7da50cec1104c885
|
|
7
|
+
data.tar.gz: 0fa9c777974240732b85adcb82cb1e2160684e7a0bcd795bb97f90e9145c9a645c1fb0e742786430c236cb88017abf2c55b1ecba3b91e256de2a985afd778888
|
data/app/models/spree/ability.rb
CHANGED
|
@@ -78,7 +78,8 @@ module Spree
|
|
|
78
78
|
can :update, ::Spree::Order do |order, token|
|
|
79
79
|
!order.completed? && (order.user == user || order.token && token == order.token)
|
|
80
80
|
end
|
|
81
|
-
|
|
81
|
+
# Address management - only for persisted users with matching user_id
|
|
82
|
+
can :manage, ::Spree::Address, user_id: user.id if user.persisted?
|
|
82
83
|
can [:read, :destroy], ::Spree::CreditCard, user_id: user.id
|
|
83
84
|
can :read, ::Spree::Product
|
|
84
85
|
can :read, ::Spree::ProductProperty
|
|
@@ -5,6 +5,10 @@ module Spree
|
|
|
5
5
|
include Spree::Addresses::Helper
|
|
6
6
|
|
|
7
7
|
def call(order:, params:, permitted_attributes:, request_env:)
|
|
8
|
+
# Validate address ownership to prevent IDOR attacks
|
|
9
|
+
address_ownership_error = validate_address_ownership(order, params)
|
|
10
|
+
return failure(order, address_ownership_error) if address_ownership_error
|
|
11
|
+
|
|
8
12
|
ship_changed = address_with_country_iso_present?(params, 'ship')
|
|
9
13
|
bill_changed = address_with_country_iso_present?(params, 'bill')
|
|
10
14
|
params[:order][:ship_address_attributes] = replace_country_iso_with_id(params[:order][:ship_address_attributes]) if ship_changed
|
|
@@ -26,6 +30,26 @@ module Spree
|
|
|
26
30
|
|
|
27
31
|
private
|
|
28
32
|
|
|
33
|
+
def validate_address_ownership(order, params)
|
|
34
|
+
return nil unless params[:order]
|
|
35
|
+
|
|
36
|
+
%w[bill ship].each do |address_kind|
|
|
37
|
+
address_id = params[:order].dig("#{address_kind}_address_attributes".to_sym, :id)
|
|
38
|
+
next unless address_id
|
|
39
|
+
|
|
40
|
+
address = Spree::Address.find_by(id: address_id)
|
|
41
|
+
next unless address
|
|
42
|
+
|
|
43
|
+
# Allow if address has no user (guest address) or belongs to the order's user
|
|
44
|
+
next if address.user_id.nil?
|
|
45
|
+
next if order.user_id.present? && address.user_id == order.user_id
|
|
46
|
+
|
|
47
|
+
return Spree.t(:address_not_owned_by_user)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
nil
|
|
51
|
+
end
|
|
52
|
+
|
|
29
53
|
def address_with_country_iso_present?(params, address_kind = 'ship')
|
|
30
54
|
return false unless params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_iso)
|
|
31
55
|
return false if params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_id)
|
data/config/locales/en.yml
CHANGED
|
@@ -642,6 +642,7 @@ en:
|
|
|
642
642
|
successfully_updated: Updated successfully
|
|
643
643
|
unsuccessfully_saved: There was an error while trying to save your address.
|
|
644
644
|
unsuccessfully_updated: There was an update while trying to update your address.
|
|
645
|
+
address_not_owned_by_user: The specified address does not belong to this user.
|
|
645
646
|
address_settings: Address settings
|
|
646
647
|
addresses: Addresses
|
|
647
648
|
adjustable: Adjustable
|
data/lib/spree/core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spree_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.1.
|
|
4
|
+
version: 5.1.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sean Schofield
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2026-01-08 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: i18n-tasks
|
|
@@ -1383,9 +1383,9 @@ licenses:
|
|
|
1383
1383
|
- BSD-3-Clause
|
|
1384
1384
|
metadata:
|
|
1385
1385
|
bug_tracker_uri: https://github.com/spree/spree/issues
|
|
1386
|
-
changelog_uri: https://github.com/spree/spree/releases/tag/v5.1.
|
|
1386
|
+
changelog_uri: https://github.com/spree/spree/releases/tag/v5.1.9
|
|
1387
1387
|
documentation_uri: https://docs.spreecommerce.org/
|
|
1388
|
-
source_code_uri: https://github.com/spree/spree/tree/v5.1.
|
|
1388
|
+
source_code_uri: https://github.com/spree/spree/tree/v5.1.9
|
|
1389
1389
|
post_install_message:
|
|
1390
1390
|
rdoc_options: []
|
|
1391
1391
|
require_paths:
|