Spree Commerce

Try It Now

Be a Friend

Posted on November 04, 2010 by Sean Schofield

We wanted to update you on some developments in the social media space. Railsdog has recently hired a developer with deep social media experience, especially with the Facebook and Twitter APIs. One of the first things we’d like to do is start rolling out some Facebook extensions. These will be "official" extensions that will be compatible with Spree 0.30.x and beyond. They will also be actively maintained and documented

Lets make a deal with the Spree community. We recently launched a SpreeCommerce page on Facebook. We’ll be using this page for news, announcements and promoting the Spree software so we can grow our community. At this exact moment we have a paltry 67 friends. We’re asking all of our users to "friend" us (see the link below) so we can show everyone just how many people out there are using Spree. The deal is the faster you friend us the faster we’ll push the Facebook and other features.

JSON Hijacking Vulnerability

Posted on November 02, 2010 by Sean Schofield

The Spree team was recently alerted to a potential security vulnerability related to so-called JSON Hijacking. The potential exploit involves using social engineering to induce an administrator who is logged into Spree to visit a web page that contains code designed to exploit the vulnerability. If an authenticated admin loads a page containing this code in their browser it could expose sensitive user and order information via a JSON security exploit.

Most versions of Spree are affected including all versions of 0.11.x and the latest edge code for the upcoming 0.30.×. If you are running on an edge version of Spree, please update to the latest source code which includes these two important fixes.

Anyone using a previously released version of Spree is strongly encouraged to upgrade to the brand new 0.11.2 release. The new 0.11.2 release contains two crucial commits needed to address this vulnerability. The complete set of changes for the 0.11.2 release can be viewed in Github.

This is not a particularly new vulnerability nor is it unique to Spree. There is a very detailed blog post outlining the specifics of JSON Hijacking if you wish to read up on it further.

Special thanks to Conviso Security for reporting the problem to us as well as the team at Locaweb for helping us to test the fix. This was another great example of the OS community working together to report and fix security issues in a timely manner. Remember, if you spot a security issue, please do not report it in a public forum or issue tracker. Send an email to security@railsdog.com so we can address the issue before publicizing the vulnerability.

New and Improved Extension Registry

Posted on November 01, 2010 by Sean Schofield

The Spree team is proud to announce the new and improved Extension Registry. We’ve been working on this off and on for a few months now but we recently made it a priority since we’re going to need a good way to track Spree 0.30.x compatible extensions. The new extension registry is integrated right into the Spree site so you can use the same account to maintain your extensions and to list your Spree sites in the showcase. We’ve also changed the login to use your email (instead of a separate login field) so please use the password reset and remember to login with your email address if you’re having trouble accessing your account.

The new version of the registry has several improvements over the previous incarnation. The first improvement is the ability to add comments. This will allow users to add little bits of advice etc. to help with usage and development efforts for the various extensions. We’re also integrating with the Github and RubyGems services so it will be easier to get information on the source code and gem versions. Finally, we have a simple voting system which will allow owners and users of extensions to assert compatibility with a particular version of Spree. Users can override the opinion of the extension author if enough of them agree. Hopefully this will lead to a higher degree of confidence whenever you find an extension that is "green" for the version of Spree you’re interested in.

We’ve got a lot more ideas for the extension registry moving forward but we decided to push out what we have rather than waiting for it to be perfect. Ultimately we’d like to see more support for identifying viable forks and for allowing other users to "take over" maintenance of an extension (and change the official repo location.) It would also be nice to mark certain extensions as "abandoned" or "defunct" when they are superseded by new extensions or when their functionality is incorporated into Spree itself.

Special thanks to Zac Williams for his hard work on getting this built. In a few short days you should start to see more Spree 0.30.x compatible extensions listed as we start to go through them and add them to the registry.

Spree 0.11.1 Released

Posted on October 12, 2010 by Sean Schofield

Spree 0.11.1 has been officially released. This is a patch release that addresses several issues discovered since 0.11.0. It is also the last expected release before the new Rails3 compatible version of Spree. We’ll continue to maintain the 0-11-stable branch but the focus will be on bug fixes as opposed to adding new features.

The new release addresses the following issues:

  • 818 – Migrate taxons to nested set for major performance boost
  • 1303 – Taxonomies with no taxons cause NoMethodError
  • 1414 – Bump will_paginate to 2.3.12
  • 1439 – Bump state_machine to latest version
  • 1452 – Extra closing tags in checkouts/_address
  • 1462 – Fix path finding for script/extension script
  • 1463 – Remove deprecated script/breakpointer
  • 1464 – Remove deprecated script/performance/request
  • 1475 – Require email address on checkout model
  • 1482 – Creditcard model only integer validation is wrong in syntax
  • 1492 – no such file to load — rspec when running the tests
  • 1494 – Allow specifying where shipping methods are displayed
  • 1499 – Fix escaping HTML issue with rails 2.3.8
  • 1503 – Fix admin additional field labels id
  • 1509 – Extensions are not being loaded
  • 1515 – Shipping Methods mixed up between Country-based zone and State-based zone
  • 1523 – error from double submit on checkout payment
  • 1526 – Cannot proceed to delivery from address step when address fails to validate
  • 1534 – Backport patches from rails3 branch
  • 1538 – Could not use Check payment because validation js of credit card payment
  • 1541 – Tidy up admin interface
  • 1572 – Checkout validation can raise exception in certain states
  • 1573 – Sample payments not capturing properly
  • 1574 – Editing a paid order in admin screen can result in incorrect shipment states
  • 1621 – Add validationMode support to Gateway::AuthorizeNetCim
  • 1636 – Coupon submission destroying payment
  • 1654 – RMA number changes when record updated
  • 1658 – Credits / Voids can result in invalid order states
  • 1668 – Canceled order should allow balance_due or credit_owed state