CVE-2013-1656

@@ -3,6 +3,7 @@ module Admin
     class PaymentMethodsController < ResourceController
       skip_before_filter :load_resource, :only => [:create]
       before_filter :load_data
+      before_filter :validate_payment_method_provider, :only => :create
 
       respond_to :html
 
@@ -50,6 +51,14 @@ def update
       def load_data
         @providers = Gateway.providers.sort{|p1, p2| p1.name <=> p2.name }
       end
+
+      def validate_payment_method_provider
+        valid_payment_methods = Rails.application.config.spree.payment_methods.map(&:to_s)
+        if !valid_payment_methods.include?(params[:payment_method][:type])
+          flash[:error] = t(:invalid_payment_provider)
+          redirect_to new_admin_payment_method_path
+        end
+      end
     end
   end
 end

@@ -1,7 +1,9 @@
 class Spree::Admin::PromotionActionsController < Spree::Admin::BaseController
+  before_filter :load_promotion, :only => [:create, :destroy]
+  before_filter :validate_promotion_action_type, :only => :create
+
   def create
     @calculators = Spree::Promotion::Actions::CreateAdjustment.calculators
-    @promotion = Spree::Promotion.find(params[:promotion_id])
     @promotion_action = params[:action_type].constantize.new(params[:promotion_action])
     @promotion_action.promotion = @promotion
     if @promotion_action.save
@@ -14,7 +16,6 @@ def create
   end
 
   def destroy
-    @promotion = Spree::Promotion.find(params[:promotion_id])
     @promotion_action = @promotion.promotion_actions.find(params[:id])
     if @promotion_action.destroy
       flash[:success] = I18n.t(:successfully_removed, :resource => I18n.t(:promotion_action))
@@ -24,4 +25,21 @@ def destroy
       format.js   { render :layout => false }
     end
   end
+
+  private
+
+  def load_promotion
+    @promotion = Spree::Promotion.find(params[:promotion_id])
+  end
+
+  def validate_promotion_action_type
+    valid_promotion_action_types = Rails.application.config.spree.promotions.actions.map(&:to_s)
+    if !valid_promotion_action_types.include?(params[:action_type])
+      flash[:error] = t(:invalid_promotion_action)
+      respond_to do |format|
+        format.html { redirect_to spree.edit_admin_promotion_path(@promotion)}
+        format.js   { render :layout => false }
+      end
+    end
+  end
 end

@@ -1,8 +1,10 @@
 class Spree::Admin::PromotionRulesController < Spree::Admin::BaseController
   helper 'spree/promotion_rules'
 
+  before_filter :load_promotion, :only => [:create, :destroy]
+  before_filter :validate_promotion_rule_type, :only => :create
+
   def create
-    @promotion = Spree::Promotion.find(params[:promotion_id])
     # Remove type key from this hash so that we don't attempt
     # to set it when creating a new record, as this is raises
     # an error in ActiveRecord 3.2.
@@ -19,7 +21,6 @@ def create
   end
 
   def destroy
-    @promotion = Spree::Promotion.find(params[:promotion_id])
     @promotion_rule = @promotion.promotion_rules.find(params[:id])
     if @promotion_rule.destroy
       flash[:success] = I18n.t(:successfully_removed, :resource => I18n.t(:promotion_rule))
@@ -29,4 +30,21 @@ def destroy
       format.js   { render :layout => false }
     end
   end
+
+  private
+
+  def load_promotion
+    @promotion = Spree::Promotion.find(params[:promotion_id])
+  end
+
+  def validate_promotion_rule_type
+    valid_promotion_rule_types = Rails.application.config.spree.promotions.rules.map(&:to_s)
+    if !valid_promotion_rule_types.include?(params[:promotion_rule][:type])
+      flash[:error] = t(:invalid_promotion_rule)
+      respond_to do |format|
+        format.html { redirect_to spree.edit_admin_promotion_path(@promotion)}
+        format.js   { render :layout => false }
+      end
+    end
+  end
 end

@@ -5,19 +5,6 @@ class PromotionsController < ResourceController
       helper 'spree/promotion_rules'
 
       protected
-        def build_resource
-          if params[:promotion]
-            calculator_type = params[:promotion].delete(:calculator_type)
-            @promotion = Promotion.new(params[:promotion])
-            if calculator_type
-              @promotion.calculator = calculator_type.constantize.new
-            end
-          else
-            @promotion = Promotion.new
-          end
-          @promotion
-        end
-
         def location_after_save
           spree.edit_admin_promotion_url(@promotion)
         end

@@ -17,12 +17,29 @@ module Spree
     # regression test for #2094
     it "does not clear password on update" do
       payment_method.preferred_password.should == "haxme"
-      spree_put :update, :id => payment_method.id, :payment_method => { :type => payment_method.class.to_s, :preferred_password => "" } 
+      spree_put :update, :id => payment_method.id, :payment_method => { :type => payment_method.class.to_s, :preferred_password => "" }
       response.should redirect_to(spree.edit_admin_payment_method_path(payment_method))
 
       payment_method.reload
       payment_method.preferred_password.should == "haxme"
     end
 
+    it "can create a payment method of a valid type" do
+      expect {
+        spree_post :create, :payment_method => { :name => "Test Method", :type => "Spree::Gateway::Bogus" }
+      }.to change(Spree::PaymentMethod, :count).by(1)
+
+      response.should be_redirect
+      response.should redirect_to spree.edit_admin_payment_method_path(assigns(:payment_method))
+    end
+
+    it "can not create a payment method of an invalid type" do
+      expect {
+        spree_post :create, :payment_method => { :name => "Invalid Payment Method", :type => "Spree::InvalidType" }
+      }.to change(Spree::PaymentMethod, :count).by(0)
+
+      response.should be_redirect
+      response.should redirect_to spree.new_admin_payment_method_path
+    end
   end
 end

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe Spree::Admin::PromotionActionsController do
+  stub_authorization!
+
+  let!(:promotion) { create(:promotion) }
+
+  it "can create a promotion action of a valid type" do
+    spree_post :create, :promotion_id => promotion.id, :action_type => "Spree::Promotion::Actions::CreateAdjustment"
+    response.should be_redirect
+    response.should redirect_to spree.edit_admin_promotion_path(promotion)
+    promotion.actions.count.should == 1
+  end
+
+  it "can not create a promotion action of an invalid type" do
+    spree_post :create, :promotion_id => promotion.id, :action_type => "Spree::InvalidType"
+    response.should be_redirect
+    response.should redirect_to spree.edit_admin_promotion_path(promotion)
+    promotion.rules.count.should == 0
+  end
+end

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe Spree::Admin::PromotionRulesController do
+  stub_authorization!
+
+  let!(:promotion) { create(:promotion) }
+
+  it "can create a promotion rule of a valid type" do
+    spree_post :create, :promotion_id => promotion.id, :promotion_rule => { :type => "Spree::Promotion::Rules::Product" }
+    response.should be_redirect
+    response.should redirect_to spree.edit_admin_promotion_path(promotion)
+    promotion.rules.count.should == 1
+  end
+
+  it "can not create a promotion rule of an invalid type" do
+    spree_post :create, :promotion_id => promotion.id, :promotion_rule => { :type => "Spree::InvalidType" }
+    response.should be_redirect
+    response.should redirect_to spree.edit_admin_promotion_path(promotion)
+    promotion.rules.count.should == 0
+  end
+end

@@ -110,7 +110,7 @@
     it "should allow an admin to create an product promo with percent per item discount" do
       create(:product, :name => "RoR Mug")
 
-      fill_in "Name", :with => "Promotion" 
+      fill_in "Name", :with => "Promotion"
       select2 "Add to cart", :from => "Event Name"
       click_button "Create"
       page.should have_content("Editing Promotion")

@@ -529,6 +529,9 @@ en:
   intercept_email_address: "Intercept Email Address"
   intercept_email_instructions: "Override email recipient and replace with this address."
   invalid_search: "Invalid search criteria."
+  invalid_payment_provider: "Invalid payment provider."
+  invalid_promotion_action: "Invalid promotion action."
+  invalid_promotion_rule: "Invalid promotion rule."
   inventory: Inventory
   inventory_adjustment: "Inventory Adjustment"
   inventory_setting_description: "Inventory Configuration, Backordering, Zero-Stock Display."