Skip to content

Commit de796a2

Browse files
Merge pull request from GHSA-8639-qx56-r428
Fix CSRF vulnerability that allowed (un)finalizing adjustments
2 parents 8dbb160 + bfb7bef commit de796a2

File tree

3 files changed

+43
-5
lines changed

3 files changed

+43
-5
lines changed

Diff for: backend/app/views/spree/admin/adjustments/_adjustments_table.html.erb

+2-2
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,12 @@
1313
<tr data-hook="adjustment_buttons">
1414
<td class="align-right" colspan="2" style="width: 50%">
1515
<% if can? :update, Spree::Adjustment %>
16-
<%= button_to t('spree.unfinalize_all_adjustments'), adjustments_unfinalize_admin_order_path(@order), method: :get %>
16+
<%= button_to t('spree.unfinalize_all_adjustments'), adjustments_unfinalize_admin_order_path(@order), method: :put %>
1717
<% end %>
1818
</td>
1919
<td colspan="2" style="width: 50%">
2020
<% if can? :update, Spree::Adjustment %>
21-
<%= button_to t('spree.finalize_all_adjustments'), adjustments_finalize_admin_order_path(@order), method: :get %>
21+
<%= button_to t('spree.finalize_all_adjustments'), adjustments_finalize_admin_order_path(@order), method: :put %>
2222
<% end %>
2323
</td>
2424
<td class='actions'>&nbsp;</td>

Diff for: backend/config/routes.rb

+3-3
Original file line numberDiff line numberDiff line change
@@ -77,8 +77,8 @@
7777
get :confirm
7878
put :complete
7979
post :resend
80-
get "/adjustments/unfinalize", to: "orders#unfinalize_adjustments"
81-
get "/adjustments/finalize", to: "orders#finalize_adjustments"
80+
put "/adjustments/unfinalize", to: "orders#unfinalize_adjustments"
81+
put "/adjustments/finalize", to: "orders#finalize_adjustments"
8282
put :approve
8383
put :cancel
8484
put :resume
@@ -91,7 +91,7 @@
9191
end
9292
end
9393

94-
resources :adjustments
94+
resources :adjustments, except: [:show]
9595
resources :return_authorizations do
9696
member do
9797
put :fire

Diff for: backend/spec/features/admin/orders/adjustments_spec.rb

+38
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,44 @@
111111
end
112112
end
113113

114+
context "admin bulk editing adjustments" do
115+
it "allows finalizing all the adjustments" do
116+
order.all_adjustments.each(&:unfinalize!)
117+
118+
click_button "Finalize All Adjustments"
119+
120+
expect(order.reload.adjustments.all?(&:finalized?)).to be(true)
121+
end
122+
123+
it "allows unfinalizing all the adjustments" do
124+
order.all_adjustments.each(&:finalize!)
125+
126+
click_button "Unfinalize All Adjustments"
127+
128+
expect(order.reload.adjustments.any?(&:finalized?)).to be(false)
129+
end
130+
131+
it "can't finalize via a GET request" do
132+
order.all_adjustments.each(&:unfinalize!)
133+
134+
expect {
135+
visit "/admin/orders/#{order.number}/adjustments/finalize"
136+
}.to raise_error(ActionController::RoutingError)
137+
138+
expect(order.reload.adjustments.any?(&:finalized?)).to be(false)
139+
end
140+
141+
it "can't unfinalize via a GET request" do
142+
order.all_adjustments.each(&:finalize!)
143+
144+
expect {
145+
visit "/admin/orders/#{order.number}/adjustments/unfinalize"
146+
}.to raise_error(ActionController::RoutingError)
147+
148+
expect(order.reload.adjustments.all?(&:finalized?)).to be(true)
149+
end
150+
end
151+
114152
context "deleting an adjustment" do
115153
context 'when the adjustment is finalized' do
116154
let!(:adjustment) { super().tap(&:finalize!) }

0 commit comments

Comments
 (0)