This is a patch release containing a single important security fix. The security vulnerability was reported late yesterday and affects only the 0.9.0 and 0.9.1 versions of Spree. Sites running older versions of Spree (0.8.x, etc.) are not affected. If your site provides its own custom version of
checkout_controller.rb then you will want to make some modifications.
Add this filter to the top of your controller:
<p>before_filter :prevent_editing_complete_order, :only => [:edit, :update]</p>
Then add the following method to your controller as well:
<p>def prevent_editing_complete_order<br /> load_object<br /> redirect_to order_url(parent_object) if @order.checkout_complete<br /> end</p>
In the future if you suspect a security bug. Please send an email to
firstname.lastname@example.org. Please do not send a message to spree-user until we have a chance to verify the issue and hopefully provide a timely fix.