Spree Commerce

Try It Now

Security Fix for all Spree Versions

Posted on July 28, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability present in all versions of Spree 1.2.x+.

An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code.

We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers.

If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150728.rb as a quick workaround:

Spree::Api::TaxonomiesController.before_filter do
  params[:set] = nil if params[:set] != "nested"

If using an unsupported version, such as, 1.2.x, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.

Previous security releases

If you have not already read about and patched last weeks security release it’s urgent you immediately upgrade to these latest releases or patch the previous security vulnerability as well. While this current security issue does require a valid API key the previous security issue does not making all un-patched Spree stores vulnerable.


Thanks to John Hawthorn again from Free Running Tech for reporting the issue privately after his recent security audit via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Full Changes

To see a complete list of changes please view the compare pages:

Ruby vs. PHP

Posted on July 21, 2015 by Eva María Gude García

About the Author

Eva María Gude García is a social media manager and content director at 2beDigital. 2beDigital is a digital marketing agency based in Santiago de Compostela, Galicia and Barcelona. 2bedigital was formed by a multidisciplinary team whose principles of trust and transparency power their work.

Ruby and PHP are two of them most popular programming languages used for web development. While they have their fair share of similariites, there are also some vital differences that set the two apart.


Created in 1995 by Yukihiro Matsumoto, Ruby is a general programming language that’s also gained recognition for web development, which started in 2005. Ruby has lived off the guiding principle that there’s always more than one way of doing things. The language is renowned for the flexibility and freedom it offers developers, making Rails a powerful development platform.

The drawback on Ruby is that its sophistication can make it a difficult language to learn for beginners. Other notable features of Ruby on Rails are listed here.


PHP was founded the same year as Ruby, 1995, by Rasmus Lerdorf. Unlike Ruby, PHP was specially designed as a web development language, but now is also used for general programming. PHP is noted for its simple implementation, which is its primary advantage over Ruby. Its simplicity has led to its popularity and a huge user community.

However, one of the major flaws behind PHP is that it’s not always object-oriented. This led developers to generate poor quality codes to solve problems. Also, PHP doesn’t have adequate Unicode support.


So, what to chose? Ruby or PHP? It really depends on your priorities, and how each language will fit in with those priorities.

PHP is easier to learn and more widely used, but it’s not as powerful as Ruby. Ruby is a powerful and flexible language with an excellent Rails framework for development, but it’s difficult to learn and requires higher technical understanding, making Ruby on Rails developers hard to find. Although learning Ruby on Rail is more difficult than learning PHP, once it’s mastered, building on Rails is much faster, and much easier to buid on.

At 2beDigital, given the excellent results we’ve had with our customers, we recommend that if you haven’t tried Ruby on Rails, now’s the time to start.

To view this blog in its original format, visit the blog of 2beDigital.

Security Fix for all Spree Versions

Posted on July 20, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker read access to any file on the server.

We strongly advise everyone to upgrade to the latest version of Spree available for their stores immediately. For example, if you’re running v2.4.7, please upgrade to v2.4.8 immediately.

If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150720.rb as a quick workaround:

module Spree::Api::Responders::RablTemplate
  def template

If using an unsupported version, such as, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.


Thanks to John Hawthorn from Free Running Tech for reporting the issue privately after his recent security audit via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Full Changes

To see a complete list of changes please view the compare pages:

Improve Your Online Store UX With These Handy Tips

Posted on July 15, 2015 by Netguru

About the Author

Netguru is a leading development agency and Spree Commerce Certified Partner. We build lean and beautiful applications for everyone from startups to major corporations. Our developers are focused on the Ruby on Rails and iOS frameworks. From the first commit to the final release, we are committed to build well-devised and user-friendly apps & ecommerce platforms tailored to your specific needs.

When it comes to ecommerce, the aim of any site is to direct users into the right places that they need to go and to encourage them to buy a product. Good UX can achieve this in numerous ways. From the way that a signup form is crafted to the colors used in the design, UX can have the effect of boosting conversions.

Bad UX has the opposite effect in that it’s off-putting to the site visitor. Web users have become increasingly sophisticated as the net has matured and are no longer willing to deal with a site that provides a bad experience. In ecommerce sites, this means that they won’t part with their cash to pay for your products if your site UX isn’t up-to-scratch.

What exactly is UX? (and what it’s not)

In recent years, we’ve seen a renewed interest in UX (User Experience) take place, thanks largely to the need to design for smaller screens. UX is not always an easy thing to define, so let’s first look at what it is and what it’s not.

UX shouldn’t be confused with usability or UI (User Interface). While these disciplines are related to each other, UI is concerned with the actual interface with which the user interacts, while usability is all about how easy to use a site is.

UX is all about the feeling that a user has when using a site. For example, if a site is slow to load, then the user quickly becomes impatient and frustrated and will leave.

That’s bad UX.

Similarly, if a site doesn’t include white space or contrast, then it becomes more difficult for the user to interact with the site and that too is bad UX. It is quite a broad discipline, but if you get it right, it can have a significant impact on sales in your e-store.

UX design for ecommerce sites

There are a huge amount of considerations to undertake when designing an ecommerce site. Make sure you discuss all the necessary issues with your design and developers’ team when planning the site. Here are a few crucial factors to think about.


Again, use brand colors, and contrasting colors to ensure that the text is clear and easy-to-read. You should also bear in mind accessibility (also, check out our article in this topic) and consider that people with color blindness will see colors differently. For example, green and red may seem like contrasting colors, but as they appear opposite each other on the color wheel, they appear quite similar to people who suffer from colorblindness.

The picture shows the differences in color perception (from the upper left): normal, protanope, deuteranope, tritanope.

Buttons and other clickable areas

These ought to be immediately apparent to the user what they’re for. Remember to keep enough surrounding padding to ensure that buttons or links don’t encroach on other clickable areas that might be next to them. Mobile users will be using touch, so buttons and links should be large enough for these users to click easily. One more important tip: take a close look at the typography. It should be in keeping with your brand’s personality and should be clear and legible.


An image can tell a story all by itself, so make sure yours are high quality but also optimized so that large file sizes don’t slow down the shopping experience. Include pictures that are clear and representational of the product or service. Also, keep in mind to make your website responsive, so that all visual elements are displayed well to mobile and tablet users.

White/negative space

That’s an important factor many shop owners may consider difficult to digest, but white space is not a waste. It’s for the benefit of a visitor – you don’t want to get him/her tired of content overload while browsing your site. White space should be used where appropriate so that the site doesn’t appear cluttered and the central message get lost. Take a look at this example:

In the image above, for award-winning site Helbak, you can see that the design is deceptively simple. This doesn’t mean that a lot of work didn’t go into development, quite the opposite in fact. The design is clean, with plenty of white space, and little in the way of text. The site lets the images do the talking and navigation is achieved through the top bar, as is usual for most sites.

It’s important to remember that conventions (such as navigation being at the top of the page, and logo placed in the left top hand corner) are very useful when designing an ecommerce site. Conventions are design techniques that we’ve become so accustomed to over time that we expect to see them in sites we visit. As such, we look for them when we arrive at a site and if they’re not present, it can throw us to the extent that we leave.

With this in mind, be very careful about breaking conventions as it can also effectively ‘break’ your conversion rate. Whilst it’s sometimes tempting to be highly original and create designs that are a little off the wall, it pays to think carefully about your design choices.


  • Use appropriate, contextual content to enhance checkout flow and products. Provide your customers with concise descriptions, representative pictures from different perspectives, or videos showing your product in action—depending on the item sold. Users should be left in no doubt as to what the product is and what they need to do to buy it.
  • Use different colors for buttons with different purposes. You should also use color psychology to inform your choices and carry out A/B testing.


  • Add so much content that the message is lost and the user is confused. Provide important product data first and use accordians or tabs that can be expanded on user action.
  • Place lots of text around buttons, ensure that there is just enough of negative space.

Forms and Registration

It’s important when designing forms for user registration that they require as little input as possible. Remember that you’re not just targeting desktop users and as such, some visitors will have to fill in forms on mobile. With this in mind, make sure:

  • As few fields as possible are created. Only ask for the user information that you need, there’s no reason that you have to know their date of birth, for example. You can ask for more details (address, phone number, etc.) when the customer proceeds to make an order.
  • Form fields are large enough for users to comfortably click into with a finger.
  • Form labels appear in the right place no matter what device it’s viewed on.

Reducing the number of form fields can increase conversions by as much as 160%, so keep it simple and brief.

Key Decisions in the Design Process

When designing UX for ecommerce, the user should be central to every decision that you make. However, it’s important to remember that you are not your user and so you should carry out as much real-world user testing as possible. Consider taking a mobile first approach too, as it’s much more difficult to pare back a desktop site for mobile than it is to design with mobile in mind from the beginning.

Now you know what factors you should draw attention to when thinking about your e-store’s UX. Soon, we’ll post about best practices when designing a shopping cart and checkout experience – stay tuned and visit our blog again!

If you’re into ecommerce, check out our article about smart retail solutions that change ecommerce and grab some inspiration! To read this piece in its original format, visit the blog of netguru.