Spree Commerce

Try It Now

SpreeConf DC Speaker Lineup Announced

Posted on March 06, 2013 by Sean Schofield

We are proud to announce the speaker lineup for SpreeConf DC taking place May 20th -21st at the Studio Theatre in Washington, DC. The two-day event, sponsored by Contegix, features training on Spree as well as presentations from e-commerce and Ruby on Rails thought leaders. Some of our speakers include:

Adil Wali

Adil Wali
Lessons from the Field: Scaling an eCommerce Business
Adil is a passionate entrepreneur and product visionary who loves the startup and high growth environment. He is a founder at Crowd Interactive and ModCloth and is currently the CEO at Kemists. Adil cares tremendously about user experience, product vision, and building ridiculously good teams.

Sandi Metz

Sandi Metz
Magic Tricks of Testing
Sandi was a long-time software architect at Duke University, for whom she still consults. She has been solving real problems in large, long-lived object-oriented applications for more than twenty years. She is also the author of the book Practical Object-Oriented Design in Ruby: An Agile Primer.

Eric Koester

Eric Koester
Capitalizing on the Micro-preneur Revolution
Eric is a serial entrepreneur and the founder of Zaarly, a leading online marketplace to discover and work with talented local service providers. Eric is also the author of several books including the Green Entrepreneur Handbook and What Every Engineer Should Know About Starting a High-Tech Business Venture.

Nick Gauthier

Nick Gauthier
Rails 4 In Action
Nick is a web freelancer focusing on Ruby on Rails and JavaScript. He co-authored Recipes with Backbone with Chris Strom and also wrote Mobile Web Patterns with Backbone.js. Nick runs B’More Awesome, a Baltimore-based web training organization, and Exobrain, an online mind-mapping tool.

Sean Schofield

Sean Schofield
Spree 2.0 and Beyond
Sean is the creator and CEO of Spree Commerce. He is an experienced programmer and entrepreneur and has over a decade of experience working with open source in both Ruby and Java. Sean is a member of the Apache Software Foundation as well as a committer on several popular Apache projects including Struts.

Brian Quinn

Brian Quinn
Introducing the Spree Integrator
Brian is an early contributor to Spree and was one of the first core team members. He’s been happily hacking on Spree for fun and profit since 2008 and is fanatical about all things open source. Brian officially came on board as the Spree CTO in May 2011.

See the full list of speakers and session topics at spreeconf.com.

Early Bird Promotion

We’re offering a special $199 early bird rate through March 31st. After March 31st the conference registration fee increases to $299. Our last U.S. SpreeConf in New York sold out quickly so act now and secure your spot at this amazing conference!

New Split Shipments Branch

Posted on February 27, 2013 by Sean Schofield

Coming Soon: Split Shipments!

We’ve been grappling with the issue of complex Spree stores that require sophisticated shipping and warehouse logic for several years now. While it has always been manageable to get this to work on individual store basis, a more general solution that would be useful for all stores has always eluded us (until now). We’re in the early stages, and it’s still very much a work in progress, but in the next version of Spree we’re going to be able to have that long sought after multiple shipment functionality.

Our Team is Hard at Work

Yesterday we kicked off an intensive all day hackathon to pick up on the considerable work already done by Chris Mar (shown below briefing some of our team members). We’re going to be working hard to finish the first cut this week and we will post a more detailed update once we’re done.

If you’re curious about what the code looks like you can follow along on the new split_shipments branch. We’re also pulling our community manager into the effort so we may be a little slower than normal this week getting to your questions and issues.

What type of improvements to shipping/warehouse/inventory functionality would you like to see?

Multiple Security Vulnerabilities Fixed

Posted on February 21, 2013 by John Dyer

The Spree team was recently alerted to several potential security vulnerabilities. If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at security@spreecommerce.com and we will investigate and fix the issue as quickly as possible.

Spree Roles Mass-assignment Vulnerability

The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.

Thanks to Laurens Nienhaus of asdfasdf.de, Web Entwicklung for reporting this.

Versions Affected

1.2.x, 1.3.x, Edge

The Fix

If you are using spree_auth_devise, run the following command to update to the latest version:

bundle update spree_auth_devise


It’s recommended that you update to v1.1.6. This release contains the security fix.

JSON Gem Object Creation Vulnerability

The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.

Versions Affected

All Versions

The problem is not with Spree itself but the json gem upon which it relies. By using the suggested fix below you can ensure you are running a secure version of the json gem.

The Fix

This is easily fixed by upgrading to the latest version of the JSON gem, which can be done by running the following command:

bundle update json

We have added a hard dependency on JSON to spree_core to ensure that in future versions of Spree you are using an unaffected version of the gem.

Thanks to Steve Root of Roots Kitchens Bedrooms Bathrooms for bringing this to our attention. More info on this vulnerability can be found on the rails-security group.

Unsafe Use of Constantize in Admin

The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.

Thanks to Gabriel Quadros of Conviso Application Security for reporting this.

Versions Affected

Spree 1.0.x – 1.3.x, Edge

The Fix

The problem can be addressed by updating to edge Spree. There is no urgent need to upgrade if you are running an affected version as long as your admin users can be trusted to not attempt a complicated technical exploit of this vulnerability.

Register for SpreeConf 2013

Posted on February 20, 2013 by Sean Schofield

SpreeConf DC Registration Opens Today – Special Early Bird Rate

We’re excited to announce that registration for SpreeConf DC starts today. The conference will be held May 20th to 21st in Washington, DC. Keeping with tradition we’ve selected a unique venue for the conference, the Studio Theatre, Washington, DC’s premier location for contemporary theater. The conference hotel is located just a few blocks from the Studio Theatre and provides easy access to the National Mall and the White House.

The two day event includes:

  • A full day of training on Spree, Rails, and other topics
  • A second day of speakers from the e-commerce and Ruby space
  • Coffee, snacks, and lunch provided both days
  • Conference t-shirt
  • A board game night to welcome you to DC and meet fellow attendees
  • A happy hour and after party with the Spree team and conference speakers

Special Early Bird Price

We’re offering a special discount for folks who book their tickets early. The early bird conference registration rate is only $199. That’s a 30% discount off the regular ticket price of $299. SpreeConf NYC sold out quickly so make sure to get your tickets early. The early bird rate expires March 31st.

Full Speaker List and Talks to be Announced Shortly

We’re going to have another great lineup of excellent speakers from both inside and outside of the Spree Community. There will be talks geared towards both developers and store owners. Follow us on Twitter so you can be the first to know when the full line-up of speakers has been announced.