spree_core 5.2.4 → 5.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2d349836816cd2c1ec5919e21868926cd4eec24cb0c38c33cb744b37a9402dc9
|
|
4
|
+
data.tar.gz: 8072164578532d141040fe3aab664d91cb00c2c8571c3b9a043cd4ccb23f1aa1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4ad9ed9392d8cb3b34cf3fa0c294dca288fe2c5162ed20c84616ef82c71e2368ea7debb5264208b26703df22640cb612e4deadb98882dcd872f8622197b8d0e5
|
|
7
|
+
data.tar.gz: a6cd8afa6b70d0fc758758c9555ab24da37800c7905220b7d5f0251bf19fa06f87d03315aba858476eb181705c32ba6d80fba4e387f419f892f7b1ec16631aac
|
data/app/models/spree/ability.rb
CHANGED
|
@@ -143,7 +143,8 @@ module Spree
|
|
|
143
143
|
can :update, ::Spree::Order do |order, token|
|
|
144
144
|
!order.completed? && (order.user == user || order.token && token == order.token)
|
|
145
145
|
end
|
|
146
|
-
|
|
146
|
+
# Address management - only for persisted users with matching user_id
|
|
147
|
+
can :manage, ::Spree::Address, user_id: user.id if user.persisted?
|
|
147
148
|
can [:read, :destroy], ::Spree::CreditCard, user_id: user.id
|
|
148
149
|
can :read, ::Spree::Product
|
|
149
150
|
can :read, ::Spree::ProductProperty
|
|
@@ -43,8 +43,8 @@ module Spree
|
|
|
43
43
|
can :create, Spree.user_class
|
|
44
44
|
can [:show, :update, :destroy], Spree.user_class, id: user.id
|
|
45
45
|
|
|
46
|
-
# Address management
|
|
47
|
-
can :manage, Spree::Address, user_id: user.id
|
|
46
|
+
# Address management - only for persisted users with matching user_id
|
|
47
|
+
can :manage, Spree::Address, user_id: user.id if user.persisted?
|
|
48
48
|
|
|
49
49
|
# Credit card management
|
|
50
50
|
can [:read, :destroy], Spree::CreditCard, user_id: user.id
|
|
@@ -5,6 +5,10 @@ module Spree
|
|
|
5
5
|
include Spree::Addresses::Helper
|
|
6
6
|
|
|
7
7
|
def call(order:, params:, permitted_attributes:, request_env:)
|
|
8
|
+
# Validate address ownership to prevent IDOR attacks
|
|
9
|
+
address_ownership_error = validate_address_ownership(order, params)
|
|
10
|
+
return failure(order, address_ownership_error) if address_ownership_error
|
|
11
|
+
|
|
8
12
|
ship_changed = address_with_country_iso_present?(params, 'ship')
|
|
9
13
|
bill_changed = address_with_country_iso_present?(params, 'bill')
|
|
10
14
|
params[:order][:ship_address_attributes] = replace_country_iso_with_id(params[:order][:ship_address_attributes]) if ship_changed
|
|
@@ -26,6 +30,26 @@ module Spree
|
|
|
26
30
|
|
|
27
31
|
private
|
|
28
32
|
|
|
33
|
+
def validate_address_ownership(order, params)
|
|
34
|
+
return nil unless params[:order]
|
|
35
|
+
|
|
36
|
+
%w[bill ship].each do |address_kind|
|
|
37
|
+
address_id = params[:order].dig("#{address_kind}_address_attributes".to_sym, :id)
|
|
38
|
+
next unless address_id
|
|
39
|
+
|
|
40
|
+
address = Spree::Address.find_by(id: address_id)
|
|
41
|
+
next unless address
|
|
42
|
+
|
|
43
|
+
# Allow if address has no user (guest address) or belongs to the order's user
|
|
44
|
+
next if address.user_id.nil?
|
|
45
|
+
next if order.user_id.present? && address.user_id == order.user_id
|
|
46
|
+
|
|
47
|
+
return Spree.t(:address_not_owned_by_user)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
nil
|
|
51
|
+
end
|
|
52
|
+
|
|
29
53
|
def address_with_country_iso_present?(params, address_kind = 'ship')
|
|
30
54
|
return false unless params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_iso)
|
|
31
55
|
return false if params.dig(:order, "#{address_kind}_address_attributes".to_sym, :country_id)
|
data/config/locales/en.yml
CHANGED
|
@@ -667,6 +667,7 @@ en:
|
|
|
667
667
|
successfully_updated: Updated successfully
|
|
668
668
|
unsuccessfully_saved: There was an error while trying to save your address.
|
|
669
669
|
unsuccessfully_updated: There was an update while trying to update your address.
|
|
670
|
+
address_not_owned_by_user: The specified address does not belong to this user.
|
|
670
671
|
address_settings: Address settings
|
|
671
672
|
addresses: Addresses
|
|
672
673
|
adjustable: Adjustable
|
data/lib/spree/core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spree_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.2.
|
|
4
|
+
version: 5.2.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sean Schofield
|
|
@@ -1703,9 +1703,9 @@ licenses:
|
|
|
1703
1703
|
- BSD-3-Clause
|
|
1704
1704
|
metadata:
|
|
1705
1705
|
bug_tracker_uri: https://github.com/spree/spree/issues
|
|
1706
|
-
changelog_uri: https://github.com/spree/spree/releases/tag/v5.2.
|
|
1706
|
+
changelog_uri: https://github.com/spree/spree/releases/tag/v5.2.5
|
|
1707
1707
|
documentation_uri: https://docs.spreecommerce.org/
|
|
1708
|
-
source_code_uri: https://github.com/spree/spree/tree/v5.2.
|
|
1708
|
+
source_code_uri: https://github.com/spree/spree/tree/v5.2.5
|
|
1709
1709
|
rdoc_options: []
|
|
1710
1710
|
require_paths:
|
|
1711
1711
|
- lib
|