New Core Members: David North and Roman Smirnov

February 8 2010 by railsdog

We’re pleased to announce two new core members: David North and Roman Smirnov (aka Romul). David was an earlier contributor to Spree and made his first contribution almost one year ago. He and Wynn Netherland did a complete overhaul of the Spree interface. This involved removing HTML tables from all of the frontend stuff and using blueprint, sass and compass. David was also an early adopter of Spree and built a lot of cool sites, including the jewelry collective. More recently he took over the excellent theming work that Wynn had begun and helped to bring that ambitious project to a succesful conclusion (including a complete port of the stylesheets to Less.)

Roman’s first commit was a Russian translation which he contributed in August of last year. He has made a ton of small but important core contributions (89 nine of them to be exact.) He’s also been instrumental in some major contributions such as Ruby 1.9 support. Roman also has an important quality that we look for in core contributors which is that he is eager to help others and work on projects that are for the common good and not just things that benefit him personally. He has been an active contributer to the spree-user mailing list and he has been doing some very heavy lifting in Lighthouse and helping us to keep track of the huge influx in contributions. Roman has also written some excellent extensions including: xapit search, solr search, product assembly and recently viewed. Sometimes Roman comes off a little “harsh” on the spree-user list but this is primarily due to language differences. He’s a great guy and we’re happy to have him join the team.

No Comments »

Posted @ 8:30am


Potential XSS Security Issue in LocaleController

January 26 2010 by railsdog

We’ve just patched the edge code to address a potential security hole. The vulnerability also affects prior versions of Spree including the latest 0.9.4 release. The upcoming 1.0.0 release will contain the fix. We will not be issuing a patch release but you can easily address the problem by patching the LocaleController in your site extension as follows:


class LocaleController < ApplicationController

  def set
    if params[:locale] && AVAILABLE_LOCALES.include?(params[:locale])
      I18n.locale = params[:locale]
      session[:locale] = params[:locale]
      flash[:notice] = t("locale_changed")
    else
      flash[:error] = t("locale_not_changed")
    end
    redirect_back_or_default(root_path)
  end

end

Special thanks to Alexander Kozliakov for reporting the bug and providing a fix. Please continue to report any suspected security issues to security@railsdog.com.

Comments Off

Posted @ 9:58am


New on Edge: RESTful API

January 26 2010 by railsdog

The REST API is designed to give developers a convenient way to access data contained within Spree. With a standard read/write interface to store data, it is now very simple to write third party applications (ex. iPhone) that can talk to Spree. It is also possible to build sophisticated middleware applications that can serve as a bridge between Spree and a warehouse or inventory system.

The API currently only supports a limited number of resources. The current list reflects the needs of paying clients who funded the development of the API. The list will be expanded soon to cover additional resources. Adding more resources is simply a matter of making the time for testing and investigating possible security implications.

Spree currently supports RESTful access to the following resources:

  • Order
  • LineItem
  • Shipment
  • InventoryUnit

Making an API Call

You will need an API key to authenticate. These keys can be generated on the user edit screen within the admin interface. Your requests should include this key in the X-SpreeAPIKey header.


curl -H "Content-Type:application/json" 
-H "Accept:application/json" 
-H "X-SpreeAPIKey: YOUR_KEY" http://example.com/api/orders

The token allows the request to assume the same level of permissions as the actual user to whom the token belongs. The admin role is fairly “powerful” by default. Consider creating a new role and assign a more limited set of permissions. This way you can create a user and corresponding token that has more narrow permissions (ex. read only access to orders.)

HTTP Methods

Your requests must use the correct HTTP method.

  • GET for listing and viewing individual resources
  • POST for creating resources
  • PUT for updating existing resources
  • DELETE for deleting resources

Currently the API supports only the JSON. Supporting the XML format should not be difficult since Rails supports it out of the box. Volunteers who are willing to provide a patch (and tests) for XML support are encouraged to do so.

Searching

All list actions support filtering using Search Logic parameters. For example, to view all shipments that are ready to ship and that were created since the date 2010-01-01:


/api/shipments?search[state]=ready_to_ship&search[created_at_greater_than]=2010-01-01

NOTE: Use --globoff when passing SL params through Curl to avoid syntax issues. You can also use -i to view the return header information.

Please see the REST documentation for a more detailed explanation of the API.

1 Comment »

Posted @ 9:00am


New on Edge: Refactored Checkout (Again)

January 12 2010 by railsdog

For those of you following the “edge” version of Spree, you probably noticed a massive new commit that introduced a much anticipated refactoring of the checkout process. These changes are significant and will likely require some modifications to your custom site extension in order to upgrade to the latest version of Spree. The refactoring was the result of additional real world experience building Spree sites as well as extensive developer feedback.

Checkout Gets a State Machine

One of the first major changes was the inclusion of a new state machine for the Checkout model. 


state_machine :initial => 'address' do
  after_transition :to => 'complete', :do => :complete_order
  before_transition :to => 'complete', :do => :process_payment
  event :next do
    transition :to => 'delivery', :from  => 'address'
    transition :to => 'payment', :from => 'delivery'
    transition :to => 'complete', :from => 'payment'
  end
end

The state machine offers a standard approach for customizing the checkout steps and their sequence.

picture-14

Each step is rendered with a partial of the same name and the steps themselves are automatically transformed into a “progress train” that can be used for navigation. The look and feel of the progress train can be customized (or omitted) by your site theme and the logic for constructing it can be tweaked in your site extension.

Simplified Custom Controller Logic

The CheckoutsController now provides its own “hook mechanism” (not to be confused with theme hooks) which allow for the developer to perform additional logic (or to change the default) logic that is applied during the edit and/or update operation for a particular step. The Spree::Checkout::Hooks module provides this additional functionality and makes use of methods provided by the resource_controller gem.

The CheckoutsController will automatically call an edithook (if one is defined) before moving on to the standard edit functionality for a particular step. There is also a corresponding updatehook that can be used to execute additional functionality during an update. Both hooks can accept either a symbol (which is the name of a method) or a block.

The CheckoutsController itself makes limited use of these hooks – its expected that developers will add their own through a site extension. Here’s an example of an edit_hook defined in checkouts_controller.rb: 

 
delivery.edit_hook :load_available_methods

This tells the controller to call load_available_methods before presenting the standard edit form for the delivery step. The hook will be called only during the delivery step – it is ignored for all other steps. In this specific case, Spree uses the hook to load all available shipping methods.

Perhaps more interestingly, hooks can also be appended to. In other words, if you wanted to perform some additional logic before presenting the delivery form, you could add something like the following in your site extension. 

 
delivery.edit_hook << :perform_additional_logic

Please see the documentation for more details on hooks and the rest of the checkout architecture.

Back to Multi Step

The other major change is that Spree is moving back to a multi step checkout as the default. Previous versions of Spree have experimented with a single page checkout similar to the one offered by Magento. After building several sites with the single step we decided to abandon it for several reasons.

  1. Single page approach requires javascript in order to checkout. Our new checkout makes minimal use of javascript (ex. populating the list of states based on countries) but it degrades nicely and is not required to move between checkout states.

  2. Old approach was very difficult to customize. The old checkout.js file was 500+ lines of code and growing. We’re not interested in debugging javascript everytime we make a change to the checkout process.

  3. Some of the previous issues with multi step no longer apply. Thanks to the Rails inclusion of nested attributes and some interesting third party work done on partial model validation, we’re no longer facing many of the issues that initially motivated us to try the single page checkout.

Moving Forward

We’re hoping to eventually support an simplified single page checkout based on the new state machine approach. The idea would be to use AJAX to render the individual steps and to simulate the effects of the multi page process. We’re interested in offering our users the flexibility to use either the multi step or single step approach. Contributions are always welcome.

Even though this is a non trivial change to how checkout is handled we definitely feel its worth the potential disruption to allow future development (and upgrades) to be less painful. Enjoy!

2 Comments »

Posted @ 11:33pm


Bitnami Announces New Spree Stack

December 27 2009 by railsdog

Last week Bitnami announced support for the Spree e-commerce platform with its new Spree stack. Bitnami “stacks” allow users to have a simplified “1-2-3″ install process for the web’s most popular open source applications. These installs work on a variety of platforms (including Windows) and they will install all of the necessary dependencies without interfering with your system. So in the case of Spree, the installer will install Ruby, Rails, Apache, MySql, etc. The install process will install everything in a single top level folder that can be easily removed if you’re no longer interested in running the application.

We’re excited about this development for several reasons. The first is that this clearly demonstrates the increasing enthusiasm for Rails in general and Spree in particular. Bitnami already supports such popular open source applications as Drupal, Word Press, Media Wiki and Joomla. To be listed amongst these applications is clearly a step in the right direction for our project.

The second reason why this is such good news, is that it will make installation and evaluation of Spree even simpler. This type of install will make it much easier for non technical users to evaluate Spree on their own desktop. Experienced Rails users do not have problems with installing Spree since its basically a Rails application. Users new to Rails or Unix type environments, however, will benefit from this simplified approach to installation. We’ve heard from several Windows users on the mailing list recently who were having trouble. We recommend you try the Bitnami install if you’re looking for a no hassle way to get up and running.

Finally, Bitnami has also announced a Spree AMI image for the popular Amazon EC2 service. They have some excellent and very detailed instructions so be sure to give them a read if you’re interested in using Spree in the cloud. We haven’t tested the AMI instance but we’re looking forward to taking it out for a spin in the new year.

1 Comment »

Posted @ 7:36am


Spree 0.9.4 Released

December 10 2009 by railsdog

Spree 0.9.4 has been released. This is a trivial patch release. It fixes a bug that some users were experiencing installing the rdoc for the previous 0.9.3 gem. It is not necessary to upgrade from 0.9.3 if the gem is working for you since this affects only the documentation.

1 Comment »

Posted @ 8:00am


New on Edge: Ruby 1.9 Support

December 9 2009 by railsdog

We’ve just introduced several improvements on the edge version of the code to make Spree Ruby 1.9 compliant. Special thanks to Dale and Roman for taking the lead on bringing us into Ruby 1.9 compliance. You should be aware that there are a few outstanding issues but these do not relate to core functionality.

  • There are problems with the activemerchant gem
  • Reported issues with Rails and the MySql driver for non ASCII encoding

The activemerchant issue has been addressed temporarily by using the latest edge code from that gem. We’ve just stuffed that into vendor/plugins in the source code repository. Once they ship the new gem we’ll move back to using the gem dependency. We might also consider publishing a railsdog-activemerchant gem if the Shopify guys don’t release one in time for our next release.

If you’re interested in Ruby 1.9 issues you may want to see the long discussion contained in the lighthouse ticket.

3 Comments »

Posted @ 8:00am


Spree 0.9.3 Released

December 5 2009 by railsdog

The Spree team is pleased to announce the latest release: v0.9.3. This is a patch release that provides support for the new Rails 2.3.5 release. Rails 2.3.5 contains a security fix so you may want to consider updating. We also addressed an issue with stylesheets when running Spree under a sub URI. We discovered that bug when preparing for another major announcement which should be coming soon.

This is also the first release on gemcutter (since Rubyforge gems are now out of fashion it seems.) If you’re not finding the gem, you just need to install the gemcutter gem.


gem install gemcutter
gem tumble
gem install spree   # .. or gem update spree if you already have it installed

If you have an existing Spree app you can update it easily enough after you’ve upgraded the gem. Just run the following command in your application root:


spree --update

Comments Off

Posted @ 9:13pm


New on Edge: Improved Fixture Support for Extensions

November 23 2009 by railsdog

We have just improved the seed and sample data loading for Spree extensions. Torsten Rüger has just contributed a great new patch to introduce new flexibility when it comes to loading fixture data from your extensions. Prior to this patch, there was no way to override seed data in an extension. So if you wanted to replace the list of default countries in your site extension, you were pretty much out of luck (or you had to write an ugly hack.)

Seed data is data that is needed by the application in order for it to work properly. Seed data is not the same as sample data. Instead of loading this type of data in a migration it is handled through the standard rails task through rake db:seed. The rake task will first load the seed data in the spree core (ex. db/default/countries.yml.) Spree will then load any fixtures found in the db/default directory of your extensions. You will no longer need to explicitly load extension seed data yourself from db/seeds.rb. If you have an extension that does so, you will need to remove that code so that you’re not loading the data twice.

Sample data is data that is convenient to have when testing your code. Its loaded with the rake db:sample task. The core sample data is loaded first, followed by any fixtures contained in the db/sample directory of your extensions.

If you have fixtures in your extension with the same filename as those found in the core, they will be loaded instead of the core version. This applies to both sample and seed fixtures. This allows for fine grained control over the sample and seed data. For example, you can create your own custom sample order data in your site extension instead of relying on the version provided by Spree.

No Comments »

Posted @ 9:00am


New on Edge: Improved Gateway Configuration

November 4 2009 by railsdog

The edge code now contains significant improvements to how payment gateways are configured. Gateways are no longer supported by database migrations, this scheme has been replaced by Active Record models that extend Gateway. The configuration of gateways is now done through standard Spree preference configuration. The documentation has also been updated and contains a detailed explanation.

One major improvement is that it is now possible to configure multiple gateways for each of your Rails environments. Its also possible to use the live production server in development mode when previously, you were required to run in test mode. One unfortunate side effect of this improvement is that your existing gateway configuration information will be lost and you will need to reconfigure your gateway in the admin interface.

You should make a note of your gateway configuration setting before upgrading since you will need to reconfigure your gateway when you’re done.

This approach to implementing and configuring gateways is extremely flexible. It makes it trivial to implement a new gateway that is already supported by Active Merchant. There are other useful benefits to this approach that a developer may be interested in knowing.

Support of Non Active Merchant Gateways

This architecture allows Spree to support gateways that are not officially supported by Active Merchant. Many times a new gateway is donated by someone in the community but its languishing in the queue waiting for someone to test and accept the patch. You have the option of taking that code (or writing your own from scratch) and implementing it within Spree. Instead of delegating to an Active Merchant class, you can simply implement that functionality yourself. You could also include the new gateway code from an Active Merchant fork inside your implementation and delegate the standard authorize, capture, etc operations to it.

Ability to “Patch” Active Merchant Gateways

We’ve noticed that sometimes it takes a while for a crucial Active Merchant patch to be applied. That’s certainly understandable, the Shopify guys have a business to run and its probably not a high priority for them to make sure that the latest obscure gateway patch is applied in a timely fashion. Fortunately, the Spree approach to wrapping these gateways provides you with a convenient option.

Lets say there is a bug with the authorize method. You could simply provide an implementation of the gateway that has the patched version of the authorize method and then delegates to the Active Merchant class for everything else (since that works just fine.)

Additional Functionality Beyond Active Merchant

Another benefit of the architecture is that it makes it possible for Spree to provide additional common functionality that was not envisioned by Active Merchant. Specifically, it is possible to provide an abstraction for storing credit card profiles to be used with recurring payments. There’s a good reason for Active Merchant to not care about this functionality. Its designed for people who just want to drop a single gateway provider into their application. Most programmers don’t need three different gateways at once. Spree is a specialized use case. Its providing multiple gateways for you to choose from and so its desirable to have a standard method for operations such as this.

Recurring payments are not yet supported in Spree although there are plans to provide this in the near future.

2 Comments »

Posted @ 10:28am


« Older Entries