Archive for July, 2012

Spree 1.1.3 Released

Spree 1.1.3 has been released. This is a patch release to be compatible with the new Rails 3.2.7 release. The newest version of Rails contains a minor security release fix so you’re encouraged to update at your earliest convenience.

This release also contains a variety of other small bug fixes. Special thanks to Moritz Breit for reporting a potential security issue which has since been investigated and addressed.

Please see the Github compare for a complete list of changes in this release.

Rejected Logo Options for Spree

Over two years ago we asked our friends at Dynamo to come up with a cool new logo for Spree. They came through with the awesome logo that we all know and love today. I thought it would be fun, however, to look back at some of the other options that were also considered.

Option 1: Woosh Cart

From the designer:

This speeding cart is an iconic way to represent a fast, efficient check-out system. The logotypes’ form compliments this thinking, being efficient and communicating clearly without unnecessary detail. The rounded edges give it a modern and human feel and the simplicity of the form makes it both ownable as a unique brand asset and easy to reproduce in any resolution.

Personally I thought it looked like someone giving me the finger. Once I saw this I could not “unsee” it. It looked a little better with different color scheme and embedded in a circle but still not what we wanted.

Option 2: Rocket Cart

From the designer:

Taking the speed notion one step further - one giant leap if you will - the introduction of the flames adds both a more humourous, exaggerated and youthful dimension that also reinforces the notion of transactional efficiency and best-of-breed performance. It’s a memorable brand icon with personality that communicates brand confidence.

Again, pretty interesting but this time it looked like the cart was farting.

Option 3: Emoticart

From the designer:

This logotype communicates so much in such an efficient package - in a similar way to the ubiquitous “and you’re done” - but what it highlights most is the idea of satisfaction. Satisfaction is a key concept for shoppers, and it directly translates into trust in the online world. Consumer trust builds brands, and this Spree identity is in a universal graphic language that is perfected for the industry and medium. The product is on your mind and in your cart, and before you know, you’ve got it. And that makes a whole lot of happy. The typography remains understated and simple, to compliment the idea.

I immediately smiled when I saw this one. At first it seemed perhaps to bold of a choice but the more I looked at it the more I liked it. Other people told me they liked the Rocket Cart but I hated it. I didn’t want a logo that I personally didn’t love myself. We were a little worried though when we found out that most women we showed it to seemed to hate it.

The Final Result

We decided to let our customers decide and they universally loved the Emoticart so that made the decision easy. We worked on the color scheme and font and came up with the result that we all recognize today.

Every once in a while my wife will see the current logo and say to me “you should have gone with the ‘farty cart’.”

Vote Now!

So what do you think of the Spree logo? Visit our Facebook Page and vote on whether we made the right choice or whether we made a big mistake.

Complete Redesign of Spree Analytics

We’re pleased to announce a completely redesigned version of the analytics dashboard that ships with Spree. This dashboard is automatically available to all stores running Spree 1.0.x or higher and will be displayed in your admin panel without having to take any steps to upgrade.

The above screenshot doesn’t really do the new interface justice. You’ll have to see it in action to get a sense for how great the improvements are. If you are running a version of Spree prior to 1.0.x you can still get the analytics functionality by using the spree_analytics extension. Let us know what you think!

Spree 1.0.6 Released

Spree 1.0.6 has been released. This release is just a minor patch release to fix a few issues with attr_accessible and the latest Rails 3.1.6 release. The previous Spree 1.0.5 release has been yanked since it was not compatible with the latest Rails 3.1.x version.

Please see the Github compare for a complete list of changes in this release. There are no security fixes in this release.

Upcoming Changes to Checkout Customization

A lot of our users have complained about how hard it is to customize the checkout flow of Spree. Some of our users wanted to remove the delivery step when
shoppers had only digital goods in their cart. Others wanted to remove all the steps except for address. Another group wanted to be able to add steps to the
checkout process in between the currently existing steps.

Currently, you need to override the entire state machine inside the Spree::Order class to do this, even including events that you shouldn’t need to care
about, such as cancel and return authorizations.

We’ve recently had a long discussion about this on an issue brought up by one of our users, Colin Gemmell. In this
instance, Colin wanted to re-define the state machine, but ran into problems where in doing so, it would raise spammy warnings about method redefinitions.
It would seem that the current practice of overriding the entire state machine is a bad idea.

So to fix this, we thought about the problem for quite a while. What we’ve come up with after quite a lot of thinking about it is a tidy DSL that will allow you to define the checkout flow for orders in a Spree store. This DSL is built on top of the DSL that the state_machine gem provides, and looks like this:

Order.class_eval do
  checkout_flow do
    go_to_state :address
    go_to_state :delivery
    go_to_state :payment, :if => lambda { payment_required? }
    go_to_state :confirm, :if => lambda { confirmation_required? }
    go_to_state :complete
    remove_transition :from => :delivery, :to => :confirm

This new DSL is all about not redefining the entire state machine. Everyone who’s attempted to customize the checkout process has inevitably done so because they wanted to alter the checkout flow. That’s what this new DSL will allow you to do. Rather than editing the entire state machine, the new DSL will only define the transitions that are to happen during the next event, which is what is used during the checkout process.

This new checkout_flow is used to define the flow of the checkout around each Order object. The go_to_state method will define a transition from the previous state into the new state. If the go_to_state call has an if on the end of it, it will keep track of all states until it finds a state that does not have a conditional. Once that happens, transitions will be defined for the intermediary states.

The remove_transition method will remove the transition specified, if it exists.

To understand this better, take a look at this handy image:

Given the above state machine, the following transitions will be defined:

  • Cart to Address
  • Address to Delivery
  • Delivery to Payment
  • Delivery to Confirm
  • Delivery to Complete
  • Payment to Confirm
  • Payment to Complete
  • Confirm to Complete

The “Delivery to Confirm” transition will be removed by the remove_transition call however, meaning that it will be impossible for orders to transition from delivery to confirm.

We believe this will make it easier for people to customize the state machine than has ever been possible before. Look for it in the next Spree release!

Important Security Updates

We have just released several new versions of Spree which contain important security fixes. A vulnerability exists in Product Scopes that could allow for unauthenticated remote command execution. There is also a potential XSS vulnerability related to the analytics dashboard. Finally, the new releases also upgrade to the latest version of Rails which include additional security fixes which were addressed by the Rails team.

The remote command execution vulnerability is quite serious and affects all versions of Spree. You should upgrade to one of the following secure versions of Spree immediately: 0.11.4, 0.70.6, 1.0.5 or 1.1.2.

Thanks to joernchen from Phenoelit and Michael Bianco from Ascension Press for bringing these issues to our attention.

If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at and we will investigate and fix the issue as quickly as possible.

Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.

Spree Versions Affected


The patch has been applied to the repo with the following commits 7f1e5d3 and 3db9a6e . Update to 7f1e5d3 or a more recent one to be protected.


It’s recommended that you update to v1.1.2. This contains the security fix as well as other bug and stability fixes.

See the Github compare view for the full details.


It’s recommended that you update to v1.0.5. This contains the security fix as well as other bug and stability fixes.


It’s recommended that you update to v0.70.6. This release contains only the security fix.

0.20.x - 0.60.x

It’s recommended that you update to v0.70.6. This is a fairly easy upgrade (no major changes in Rails version, etc.) and we cannot continue to support older versions of Spree indefinitely.


It’s recommended that you update to v0.11.4. This release contains only the security fix.

Spree Analytics Extension

If you are using the spree_analytics extension you need to update to 079949fd to receive the most recent security fix. If you are using Spree 1.0.x or greater the analytics is included in Spree and updating to the latest secure Spree version will take care of this for you.

Spree Commitment to Security

The Spree team remains committed to the highest standard of security in it’s software. Spree is used by thousands of stores worldwide and the source code is under constant review by the community. We believe in disclosing all security vulnerabilities to the public in a timely and responsible fashion. Thanks again to joernchen from Phenoelit and Michael Bianco from Ascension Press for working with us while we resolved this issue.

This project is maintained by a core team of developers and is freely available for commercial use under the terms of the New BSD License.

Spree, Spree Commerce and the Spree logo are all trademarks of Spree Commerce, Inc.