Appland v2.10.2 #13
Open
Appland v2.10.2 #13
+385
−50
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The variable has been missed in solidusio#3400
To avoid persistence and validation issues has_many associations must be added after creation. (cherry picked from commit e1bb2c3) Signed-off-by: Alberto Vena <[email protected]>
Spree::Api::Shipments#select_shipping_method uses the `put` method. Spree::Api::Variants#update should be `put`. (cherry picked from commit 9056edb) Signed-off-by: Alberto Vena <[email protected]>
Spree::Api::TaxonsController#products accept `id` param to find the taxon. The products action also accept `simple` param to filter product data. (cherry picked from commit 274efe6) Signed-off-by: Alberto Vena <[email protected]>
Right now the persist_version job is not triggered since the regex only take into account versions with one digit after the decimal point. The regex actually matches but CircleCi needs it to match the entire string, from their doc: > Both only and ignore lists can have full names and regular expressions. > Regular expressions must match the entire string. https://circleci.com/docs/2.0/configuration-reference/#branches
…ration-multiple-digits [v2.10] Fix API Documentation generation with multiple digits versions
The `apply_coupon_code` before filter should only run on update. We shouldn't allow this expensive code to run on a GET request. This is probably also a mitigation for an imaginable denial of service attack, where an attacker could hammer a site with lots of coupon codes, bringing the site down because of all the work necessary to check for the code's validity. This action is already deprecated and removing this functionality should not create many backward compatibilities issues. Also, for the reasoning above we can consider this a bug. Co-authored-by: mamhoff <[email protected]>
It now uses well formed params that are more similar to real frontend requests. The order key should always be required when updating the order. Co-authored-by: mamhoff <[email protected]>
We currently accept "source" as key in the hash of parameters of this API endpoint instead of "source_attributes". This parameter is not normalized in "source_attributes" and would result in not being set at all. Since we want to permit "source_attributes" it's better to normalize it. Co-authored-by: mamhoff <[email protected]>
Differently from the checkout endpoints, the orders update always recalculates the shipments so it's not possible to change the address and not recreate new shipments based on the new address. Co-authored-by: mamhoff <[email protected]>
Sometimes in the API checkout specs we were testing some updates of attributes for steps different from the current order state. This commit sets the order in the right state before calling the endpoint. Co-authored-by: mamhoff <[email protected]>
Each checkout step has its own set of permitted attributes now. This way we can permit only the attributes that are supposed to change in the step we are submitting and avoid that the user changes information without our control. This is backward compatible because the old permitted_checkout_attributes still returns the same values (all the steps combined). Also, if some extensions or stores were pushing custom attributes to Spree::PermittedAttributes.checkout_attributes, they are being pushed to all the checkout steps, so this should work no matter from which step they are trying to use these custom attributes. Co-authored-by: mamhoff <[email protected]>
We want to avoid users to be able to change information that are supposed to be provided in other checkout steps. Co-authored-by: mamhoff <[email protected]>
We want to avoid users to be able to change information that are supposed to be provided in other checkout steps. Co-authored-by: mamhoff <[email protected]>
This fixes a spec in v2.10 that is currently failing due to some new association caching in Rails (not sure where).
[v2.10] Fix Taxon Promo Rule Specs
[v2.10] Disallow unnecessary checkout parameters using PermittedAttributes
This is a complementary commit for the last security fix. Bill address can be passed as params when submitting a new source. This also resumes a spec that was removed a while ago and apparently it was the only one testing this feature.
…ource [v2.10] Permit address attributes via payment source attributes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.