spree_core 5.5.0.rc2 → 5.5.0.rc3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d9453fadded9ac66f0b64ac5af7ca30a78516088edafa569cd18bcf0b541e1f
-  data.tar.gz: 72af3c8a53371f288c2084d2eed1e1f6635d0f2273bcb49f40adc626fe96d4c2
+  metadata.gz: 710ad2cd963e80f3cd21d2b481246a8a163dc2033fca523292f33ec17fd86525
+  data.tar.gz: c59f53d88277a62e55d327cd99c025e8808b30ecf1392ff3ccc9a98ff7cd9026
 SHA512:
-  metadata.gz: 073262b0c991fdbae6c780957052d84ee297abfc6b438b6b1476bc301fc69af8c67ed9904a89e080a14309ac26b86352ad4627f934c0b972c649d520f105c936
-  data.tar.gz: 4c581530147dac6e5b3ea79c655a9c739f40f6ce10b55adcdd5abe46d02073a96268e27a64790cc93c607dfe60cc3aef2c62ded74ad4daa3635135ce21847293
+  metadata.gz: 67c2f7227e1b20972b41b4dbfceeb2a00cb8c7c21cc0b295fe907d496a581b59b9eb919b41f6a89f6d7f4b19d5c5c6a405733b003915c8e8c6fb4811c15f43a6
+  data.tar.gz: 6355791ca10c5e668752f27b3ff7918b3f4ea27bad3b0308f597a310ec518cf139c93d6f562e2da55938524dc381f5a759b4618bc19ad8d684cb7a30841bf821

data/app/models/concerns/spree/store_scoped_resource.rb

@@ -12,7 +12,10 @@ module Spree
 
     def set_default_store
       return if disable_store_presence_validation?
-      return if stores.any?
+      # records built through a store's association (`store.payment_methods.build`)
+      # carry their link on the join association — `stores` can't see it until save
+      join_association = self.class.reflect_on_association(:stores).through_reflection.name
+      return if stores.any? || send(join_association).any?
 
       stores << Spree::Store.default
     end

data/app/models/concerns/spree/typed_associations.rb

@@ -54,7 +54,14 @@ module Spree
     def reconcile_typed_association(association, rows)
       collection = public_send(association)
       kept_ids = rows.filter_map { |row| save_typed_association_row(collection, row) }
-      collection.where.not(id: kept_ids).destroy_all if kept_ids.any? || rows.empty?
+      if kept_ids.any? || rows.empty?
+        collection.where.not(id: kept_ids).destroy_all
+        # `where.not(...).destroy_all` deletes the dropped rows from the DB but
+        # leaves them in the already-loaded association target. Reset so a
+        # same-request read (e.g. the serializer rendering `rule_ids`) reflects
+        # the removal instead of echoing ghosts.
+        collection.reset
+      end
     end
 
     def save_typed_association_row(collection, row)

data/app/models/spree/ability.rb

@@ -44,15 +44,18 @@ module Spree
       activate_permission_sets(permission_sets)
     end
 
-    # Determines the role names for the current user.
+    # Determines the role names for the current user, scoped to the current
+    # store. A +Spree::RoleUser+ binds a role to a store via +resource+, so a
+    # role held on one store does not apply on another.
     #
     # @return [Array<Symbol>] the role names
     def determine_role_names
       return [:default] unless @user.persisted?
 
-      # First, try to get roles from the spree_roles association
-      if @user.respond_to?(:spree_roles)
-        role_names = @user.spree_roles.pluck(:name).map(&:to_sym)
+      if @user.respond_to?(:role_users)
+        role_names = @user.role_users.where(resource: @store).
+                     joins(:role).
+                     pluck("#{Spree::Role.table_name}.name").map(&:to_sym)
         return role_names if role_names.any?
       end
 

data/app/models/spree/allowed_origin.rb

@@ -2,6 +2,10 @@
 
 module Spree
   class AllowedOrigin < Spree.base_class
+    # Loopback/development hosts that match any port, so storing `http://localhost`
+    # keeps matching `http://localhost:3000`, `:4000`, etc.
+    LOOPBACK_HOSTS = %w[localhost 127.0.0.1 ::1 0.0.0.0].freeze
+
     has_prefix_id :ao
 
     include Spree::SingleStoreResource
@@ -12,6 +16,42 @@ module Spree
     validates :origin, uniqueness: { scope: [:store_id, *spree_base_uniqueness_scope] }
     validate :origin_must_be_valid_http_url
 
+    # Parses a URL into its comparable origin components, or nil when the URL is
+    # invalid or not http(s). The host is downcased and has a single trailing dot
+    # stripped, and the port is the URI default (80/443) when not explicitly given.
+    #
+    # @param url [String] the URL to parse
+    # @return [Hash, nil] `{ scheme:, host:, port: }` or nil
+    def self.parse_origin(url)
+      uri = URI.parse(url.to_s)
+      return nil unless uri.is_a?(URI::HTTP)
+      return nil if uri.host.blank?
+
+      { scheme: uri.scheme.downcase, host: uri.host.downcase.chomp('.'), port: uri.port }
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    # Returns true if the given URL's origin matches this stored origin.
+    #
+    # Scheme and host must match exactly (host comparison is case- and trailing-dot-
+    # insensitive). Port must also match, with the scheme default applied, so storing
+    # `https://shop.com` matches `https://shop.com:443`. Loopback/development hosts
+    # ({LOOPBACK_HOSTS}) are exempt from the port check, so `http://localhost` still
+    # matches `http://localhost:3000`, `:4000`, etc.
+    #
+    # @param url [String] the candidate URL to check
+    # @return [Boolean]
+    def matches?(url)
+      candidate = self.class.parse_origin(url)
+      allowed = self.class.parse_origin(origin)
+      return false if candidate.nil? || allowed.nil?
+      return false unless allowed[:scheme] == candidate[:scheme]
+      return false unless allowed[:host] == candidate[:host]
+
+      LOOPBACK_HOSTS.include?(allowed[:host]) || allowed[:port] == candidate[:port]
+    end
+
     private
 
     def origin_must_be_valid_http_url
@@ -19,12 +59,7 @@ module Spree
 
       uri = URI.parse(origin)
 
-      unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
-        errors.add(:origin, :invalid)
-        return
-      end
-
-      if uri.host.blank?
+      if self.class.parse_origin(origin).nil?
         errors.add(:origin, :invalid)
         return
       end

data/app/models/spree/api_key.rb

@@ -57,6 +57,13 @@ module Spree
     validates :store, presence: true
     validates :scopes, presence: true, if: -> { secret? && scopes_enforceable? }
     validate :validate_known_scopes, if: -> { secret? && scopes_enforceable? }
+    # Scopes are fixed for the life of the secret — mirroring Stripe/GitHub/AWS:
+    # authority is changed by issuing a new key and revoking the old one, never by
+    # re-scoping an existing secret in place. This keeps the audit boundary clean
+    # and prevents a shared/leaked key from silently gaining write access. The
+    # guard is at the model so every entry point (API, legacy admin, rake tasks)
+    # is covered uniformly.
+    validate :scopes_immutable, if: -> { secret? && persisted? && scopes_changed? }
 
     before_validation :generate_token, on: :create
 
@@ -145,6 +152,10 @@ module Spree
       errors.add(:scopes, "contains unknown scopes: #{invalid.join(', ')}") if invalid.any?
     end
 
+    def scopes_immutable
+      errors.add(:scopes, Spree.t(:api_key_scopes_immutable))
+    end
+
     # Generates the token on creation. For publishable keys, stores the raw token
     # in the +token+ column. For secret keys, computes an HMAC-SHA256 digest stored
     # in +token_digest+, saves the first 12 characters as +token_prefix+ for display,

data/app/models/spree/payment_method.rb

@@ -22,7 +22,7 @@ module Spree
     validates :name, presence: true
     normalizes :name, with: ->(value) { value&.to_s&.squish&.presence }
 
-    has_many :store_payment_methods, class_name: 'Spree::StorePaymentMethod'
+    has_many :store_payment_methods, class_name: 'Spree::StorePaymentMethod', inverse_of: :payment_method
     has_many :stores, class_name: 'Spree::Store', through: :store_payment_methods
 
     has_many :payments, class_name: 'Spree::Payment', inverse_of: :payment_method, dependent: :nullify

data/app/models/spree/price_list.rb

@@ -303,8 +303,18 @@ module Spree
       to_remove = current - desired
       to_add = desired - current
 
+      return unless to_remove.any? || to_add.any?
+
       remove_products(to_remove) if to_remove.any?
       add_products(to_add) if to_add.any?
+
+      # Membership is changed via raw `upsert_all`/`delete_all` on `prices`,
+      # which bypasses the `variants`/`products` association caches (and the
+      # `product_ids` ids-reader memo `current` populated above). Reset them so
+      # a same-request read — e.g. the serializer's `product_ids` — reflects the
+      # new membership instead of the pre-change set.
+      association(:variants).reset
+      association(:products).reset
     end
 
     def apply_pending_prices

data/app/models/spree/product/channels.rb

@@ -96,6 +96,13 @@ module Spree
         self.store ||= Spree::Current.store || Spree::Store.default
       end
 
+      # The store a product's associations (categories, channels) must belong
+      # to. Falls back to the request/default store for not-yet-persisted
+      # products whose `store` hasn't been assigned.
+      def assignable_store
+        store || Spree::Current.store || Spree::Store.default
+      end
+
       def pending_publications?
         @pending_publications_params.present?
       end
@@ -126,9 +133,14 @@ module Spree
             publication.update!(publication_data.slice(:published_at, :unpublished_at))
             publication_ids_in_payload << publication.id
           elsif channel_id.present?
+            # Only publish to channels owned by the product's store; ignore
+            # ids referencing another store's channel.
+            channel = publishable_channels.find_by(id: channel_id)
+            next unless channel
+
             # Upsert by channel_id so repeat submissions are idempotent
             # against the unique (product_id, channel_id) index.
-            publication = product_publications.find_or_initialize_by(channel_id: channel_id)
+            publication = product_publications.find_or_initialize_by(channel_id: channel.id)
             publication.assign_attributes(publication_data.slice(:published_at, :unpublished_at))
             publication.save!
             publication_ids_in_payload << publication.id
@@ -144,6 +156,11 @@ module Spree
 
         Spree::PrefixedId.decode_prefixed_id(value) || value
       end
+
+      # Channels the product may be published to — those owned by its store.
+      def publishable_channels
+        assignable_store.channels
+      end
     end
   end
 end

data/app/models/spree/product.rb

@@ -211,11 +211,14 @@ module Spree
     end
 
     # Maps 6.0 API name (category_ids) to model column (taxon_ids).
-    # Accepts both prefixed IDs and raw integer IDs.
+    # Accepts both prefixed IDs and raw integer IDs. Only taxons belonging to
+    # the product's own store are assigned — ids from another store's
+    # taxonomies are dropped, preventing cross-store category attachment.
     def category_ids=(ids)
-      self.taxon_ids = Array(ids).filter_map do |id|
+      decoded_ids = Array(ids).filter_map do |id|
         id.to_s.include?('_') ? Spree::Taxon.decode_prefixed_id(id) : id
       end
+      self.taxon_ids = Spree::Taxon.for_store(assignable_store).where(id: decoded_ids).ids
     end
 
     # Sync media inline. Entries with `id` patch the existing asset
@@ -757,6 +760,7 @@ module Spree
     def apply_variants(variants_params)
       variant_ids_in_payload = []
       master_touched = false
+      mutated = false
 
       variants_params.each do |variant_data|
         variant_data = variant_data.to_h.with_indifferent_access
@@ -767,6 +771,7 @@ module Spree
           variant = variants_including_master.find_by_param!(variant_id)
           variant.update!(variant_data)
           variant_ids_in_payload << variant.id
+          mutated = true
         elsif options.blank? || (options.is_a?(Array) && options.empty?)
           # An entry with no options addresses the master variant. Building a
           # non-master here would create a phantom duplicate (the auto-built
@@ -778,18 +783,46 @@ module Spree
           target.assign_attributes(variant_data)
           target.save!
           master_touched = true
+          mutated = true
         else
           variant = variants.build
           variant.assign_attributes(variant_data)
           variant.save!
           variant_ids_in_payload << variant.id
+          mutated = true
         end
       end
 
       # Remove variants not in the payload (only non-master). If only the
       # master was touched (simple product), leave existing non-master
       # variants alone — the payload is partial, not a full replacement.
-      variants.where.not(id: variant_ids_in_payload).destroy_all if variant_ids_in_payload.any? && !master_touched
+      if variant_ids_in_payload.any? && !master_touched
+        removed = variants.where.not(id: variant_ids_in_payload).destroy_all
+        mutated ||= removed.any?
+      end
+
+      sync_variant_state! if mutated
+    end
+
+    # Re-syncs the in-memory derived variant state after `apply_variants`
+    # mutates variants out-of-band (the variant counter is bumped via
+    # `Spree::Product.increment_counter` in a Variant callback, and
+    # `default_variant` is memoized). Without this, a freshly built/updated
+    # product serialized in the same request returns a stale `variant_count`
+    # and a stale `price` (delegated to the memoized `default_variant`).
+    #
+    # The `default_variant` memo reset here changes shape once master is
+    # removed (it becomes a `belongs_to` FK). See
+    # docs/plans/6.0-remove-master-variant.md (Phase 3).
+    # @return [void]
+    def sync_variant_state!
+      # `variant_count` is maintained by a direct counter update in a Variant
+      # callback, so the in-memory attribute is stale here — re-read it from the
+      # row without reloading the whole record.
+      self[:variant_count] = self.class.where(id: id).pick(:variant_count)
+      variants.reset
+      @default_variant = nil
+      @default_variant_id = nil
     end
 
     def add_associations_from_prototype
@@ -811,6 +844,7 @@ module Spree
 
     # Builds variants from a hash of option types & values
     def build_variants_from_option_values_hash
+      Spree::Deprecation.warn('Spree::Product#build_variants_from_option_values_hash is deprecated and will be removed in Spree 6.0.')
       ensure_option_types_exist_for_values_hash
       values = option_values_hash.values
       values = values.inject(values.shift) { |memo, value| memo.product(value).map(&:flatten) }
@@ -925,12 +959,14 @@ module Spree
     end
 
     def discontinue_on_must_be_later_than_make_active_at
+      Spree::Deprecation.warn('Spree::Product#discontinue_on_must_be_later_than_make_active_at is deprecated and will be removed in Spree 6.0.')
       if discontinue_on < make_active_at
         errors.add(:discontinue_on, :invalid_date_range)
       end
     end
 
     def requires_price?
+      Spree::Deprecation.warn('Spree::Product#requires_price? is deprecated and will be removed in Spree 6.0.')
       Spree::Config[:require_master_price]
     end
 

data/app/models/spree/promotion.rb

@@ -86,7 +86,9 @@ module Spree
     #
     # Ransack
     #
-    self.whitelisted_ransackable_attributes = ['path', 'promotion_category_id', 'code', 'starts_at', 'expires_at']
+    # `name` is whitelisted so the admin global search / command palette can
+    # filter via the `name_or_code_cont` predicate without a dedicated scope.
+    self.whitelisted_ransackable_attributes = ['name', 'path', 'promotion_category_id', 'code', 'starts_at', 'expires_at']
     self.whitelisted_ransackable_associations = %w[coupon_codes]
 
     def self.with_coupon_code(coupon_code)

data/app/models/spree/store.rb

@@ -82,6 +82,7 @@ module Spree
     has_many :variants, through: :products, class_name: 'Spree::Variant', source: :variants_including_master
     has_many :stock_items, through: :variants, class_name: 'Spree::StockItem'
     has_many :prices, through: :variants, class_name: 'Spree::Price'
+    has_many :price_lists, class_name: 'Spree::PriceList', inverse_of: :store
     has_many :inventory_units, through: :variants, class_name: 'Spree::InventoryUnit'
     has_many :option_value_variants, through: :variants, class_name: 'Spree::OptionValueVariant'
     has_many :customer_returns, class_name: 'Spree::CustomerReturn', inverse_of: :store
@@ -278,25 +279,14 @@ module Spree
     end
 
     # Returns true if the given URL's origin matches one of the store's allowed origins.
-    # Comparison is port-less: only scheme + host are matched, so storing
-    # `http://localhost` will match `http://localhost:3000`, `http://localhost:4000`, etc.
+    # See {Spree::AllowedOrigin#matches?} for the matching rules (scheme/host/port).
     #
     # @param url [String] the full URL to check
     # @return [Boolean]
     def allowed_origin?(url)
       return false if url.blank?
 
-      uri = URI.parse(url)
-      request_origin = "#{uri.scheme}://#{uri.host}"
-
-      allowed_origins.pluck(:origin).any? do |stored|
-        stored_uri = URI.parse(stored)
-        "#{stored_uri.scheme}://#{stored_uri.host}" == request_origin
-      rescue URI::InvalidURIError
-        false
-      end
-    rescue URI::InvalidURIError
-      false
+      allowed_origins.any? { |allowed_origin| allowed_origin.matches?(url) }
     end
 
     # Returns the states available for checkout for the store

data/app/models/spree/store_payment_method.rb

@@ -3,7 +3,7 @@ module Spree
     self.table_name = 'spree_payment_methods_stores'
 
     belongs_to :store, class_name: 'Spree::Store', touch: true
-    belongs_to :payment_method, class_name: 'Spree::PaymentMethod', touch: true
+    belongs_to :payment_method, class_name: 'Spree::PaymentMethod', touch: true, inverse_of: :store_payment_methods
 
     validates :store, :payment_method, presence: true
     validates :store_id, uniqueness: { scope: :payment_method_id }

data/app/models/spree/variant.rb

@@ -539,7 +539,20 @@ module Spree
     # @param compare_at_amount [BigDecimal] the compare at amount to set
     # @return [void]
     def set_price(currency, amount, compare_at_amount = nil)
-      price = prices.base_prices.find_or_initialize_by(currency: currency)
+      # When the prices association is already loaded (eager-loaded for
+      # serialization), reuse the cached base-price instance so readers that
+      # branch on `prices.loaded?` (Pricing::Resolver, #price_in, serializers)
+      # observe the write without a reload. `base_prices.find_or_initialize_by`
+      # would issue a fresh query and return a detached object, leaving the
+      # loaded collection — and the serialized response — stale.
+      price =
+        if prices.loaded?
+          prices.detect { |p| p.price_list_id.nil? && p.currency == currency } ||
+            prices.build(currency: currency)
+        else
+          prices.base_prices.find_or_initialize_by(currency: currency)
+        end
+
       price.amount = amount
       price.compare_at_amount = compare_at_amount
       price.save! if persisted?

data/app/services/spree/gift_cards/apply.rb

@@ -69,10 +69,7 @@ module Spree
         payment_method.name ||= Spree.t(:store_credit_name)
         payment_method.active = true
 
-        if payment_method.new_record?
-          payment_method.stores << store unless payment_method.stores.include?(store)
-          payment_method.save!
-        end
+        payment_method.save! if payment_method.new_record?
 
         payment_method
       end

data/app/services/spree/imports/row_processors/product_variant.rb

@@ -99,6 +99,9 @@ module Spree
             product.slug = attributes['slug']
             product.sku = attributes['sku'] if attributes['sku'].present? && options.empty?
             product.store = store
+            # Publish to the store's default channel so imported products surface
+            # in the storefront.
+            product.channels << store.default_channel if store.default_channel && product.channels.empty?
           end
 
           product.name = attributes['name'] if attributes['name'].present?

data/app/services/spree/seeds/payment_methods.rb

@@ -4,14 +4,17 @@ module Spree
       prepend Spree::ServiceModule::Base
 
       def call
-        payment_method = Spree::PaymentMethod::StoreCredit.find_or_initialize_by(
-          name: Spree.t(:store_credit_name),
-          description: Spree.t(:store_credit_name),
-          active: true
-        )
+        Spree::Store.all.find_each do |store|
+          payment_method = store.payment_methods.find_or_initialize_by(
+            type: 'Spree::PaymentMethod::StoreCredit'
+          )
+          next if payment_method.persisted?
 
-        payment_method.stores = Spree::Store.all if payment_method.new_record?
-        payment_method.save!
+          payment_method.name = Spree.t(:store_credit_name)
+          payment_method.description = Spree.t(:store_credit_name)
+          payment_method.active = true
+          payment_method.save!
+        end
       end
     end
   end

data/config/locales/en.yml

@@ -774,6 +774,8 @@ en:
       one: "...and %{count} more"
       other: "...and %{count} more"
     api_key: API Key
+    api_key_no_current_key: No API key authenticated this request
+    api_key_scopes_immutable: cannot be changed after the key is created; create a new key with the scopes you need and revoke this one
     api_keys: API Keys
     apis:
       admin: Admin API
@@ -1425,6 +1427,7 @@ en:
     max: Max
     max_items: Max Items
     max_quantity: Max Quantity
+    me_no_current_user: No admin user authenticated this request
     media: Media
     memo: Memo
     meta_description: Meta Description

data/db/sample_data/payment_methods.rb

@@ -1,19 +1,19 @@
-cc_payment_method = Spree::Gateway::Bogus.where(
-  name: 'Credit Card',
-  description: 'Bogus payment gateway.',
-  active: true
-).first_or_initialize
+Spree::Store.all.find_each do |store|
+  cc_payment_method = store.payment_methods.find_or_initialize_by(
+    type: 'Spree::Gateway::Bogus',
+    name: 'Credit Card',
+    description: 'Bogus payment gateway.',
+    active: true
+  )
+  cc_payment_method.display_on = 'back_end'
+  cc_payment_method.save!
 
-cc_payment_method.display_on = 'back_end'
-cc_payment_method.stores = Spree::Store.all
-cc_payment_method.save!
-
-check_payment_method = Spree::PaymentMethod::Check.where(
-  name: 'Check',
-  description: 'Pay by check.',
-  active: true
-).first_or_initialize
-
-check_payment_method.display_on = 'back_end'
-check_payment_method.stores = Spree::Store.all
-check_payment_method.save!
+  check_payment_method = store.payment_methods.find_or_initialize_by(
+    type: 'Spree::PaymentMethod::Check',
+    name: 'Check',
+    description: 'Pay by check.',
+    active: true
+  )
+  check_payment_method.display_on = 'back_end'
+  check_payment_method.save!
+end

data/lib/spree/core/version.rb

@@ -1,5 +1,5 @@
 module Spree
-  VERSION = '5.5.0.rc2'.freeze
+  VERSION = '5.5.0.rc3'.freeze
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_core
 version: !ruby/object:Gem::Version
-  version: 5.5.0.rc2
+  version: 5.5.0.rc3
 platform: ruby
 authors:
 - Sean Schofield
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-06-15 00:00:00.000000000 Z
+date: 2026-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n-tasks
@@ -1816,9 +1816,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.5.0.rc2
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.5.0.rc3
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.5.0.rc2
+  source_code_uri: https://github.com/spree/spree/tree/v5.5.0.rc3
 post_install_message:
 rdoc_options: []
 require_paths: