Merge branch '5.x' into 6.x

lukeholder · lukeholder · commit 36d2838d5a0a · 2026-03-11T20:51:10.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,9 @@
 ## Unreleased
 
 - Improved product index performance by not eager-loading variants for table attributes that are already fetched via SQL joins. ([#4236](https://github.com/craftcms/commerce/issues/4236))
-- Fixed a bug where coupon codes would be automatically submitted too soon while entering them on order edit screens.
+- Fixed a bug where coupon codes were submitted too early while being entered on order edit screens.
+- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerability in the control panel. (GHSA-875v-7m49-8x88)
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) Information disclosure vulnerability in payment controller action. (GHSA-3vxg-x5f8-f5qf)
 
 ## 5.5.4 - 2026-02-18
 
@@ -23,9 +25,9 @@
 - Fixed a SQL error that could occur when querying variants on PostgreSQL. ([#4210](https://github.com/craftcms/commerce/issues/4210))
 - Fixed an error that could occur when merging canonical product changes into a draft. ([#4199](https://github.com/craftcms/commerce/issues/4199))
 - Fixed a bug where variants weren’t being marked as modified when variants were added, deleted, or reordered. ([#4222](https://github.com/craftcms/commerce/pull/4222))
-- Fixed [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
-- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerability in the control panel. (GHSA-cfpv-rmpf-f624)
-- Fixed [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerabilities in the control panel. (GHSA-mqxf-2998-c6cp, GHSA-wj89-2385-gpx3, GHSA-mj32-r678-7mvp)
+- Fixed [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerabilities in the control panel. ([GHSA-j3x5-mghf-xvfw](https://github.com/craftcms/commerce/security/advisories/GHSA-j3x5-mghf-xvfw), [GHSA-pmgj-gmm4-jh6j](https://github.com/craftcms/commerce/security/advisories/GHSA-pmgj-gmm4-jh6j))
+- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerability in the control panel. ([GHSA-cfpv-rmpf-f624](https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624))
+- Fixed [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerabilities in the control panel. ([GHSA-mqxf-2998-c6cp](https://github.com/craftcms/commerce/security/advisories/GHSA-mqxf-2998-c6cp), [GHSA-wj89-2385-gpx3](https://github.com/craftcms/commerce/security/advisories/GHSA-wj89-2385-gpx3), [GHSA-mj32-r678-7mvp](https://github.com/craftcms/commerce/security/advisories/GHSA-mj32-r678-7mvp))
 
 ## 5.5.2 - 2025-12-31
 
diff --git a/src/controllers/FormulasController.php b/src/controllers/FormulasController.php
@@ -9,7 +9,6 @@
 
 use Craft;
 use craft\commerce\Plugin;
-use craft\web\Controller;
 use yii\web\BadRequestHttpException;
 use yii\web\Response;
 
@@ -19,7 +18,7 @@
  * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
  * @since 2.2
  */
-class FormulasController extends Controller
+class FormulasController extends BaseCpController
 {
     /**
      * @throws BadRequestHttpException
diff --git a/src/controllers/InventoryController.php b/src/controllers/InventoryController.php
@@ -28,7 +28,6 @@
 use craft\helpers\Cp;
 use craft\helpers\Html;
 use craft\web\assets\htmx\HtmxAsset;
-use craft\web\Controller;
 use craft\web\CpScreenResponseBehavior;
 use yii\base\InvalidConfigException;
 use yii\db\Exception;
@@ -43,12 +42,10 @@
  * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
  * @since 5.0.0
  */
-class InventoryController extends Controller
+class InventoryController extends BaseCpController
 {
     public $defaultAction = 'index';
 
-    protected array|int|bool $allowAnonymous = self::ALLOW_ANONYMOUS_NEVER;
-
     /**
      * @param int|null $inventoryItemId
      * @param InventoryItem|null $inventoryItem
@@ -709,6 +706,8 @@ public function actionEditMovementModal(): Response
      */
     public function actionUnfulfilledOrders(): Response
     {
+        $this->requirePermission('commerce-manageInventoryStockLevels');
+
         $view = Craft::$app->getView();
         $view->registerAssetBundle(InventoryAsset::class);
 
diff --git a/src/controllers/InventoryLocationsController.php b/src/controllers/InventoryLocationsController.php
@@ -19,7 +19,6 @@
 use craft\helpers\ArrayHelper;
 use craft\helpers\Cp;
 use craft\helpers\Html;
-use craft\web\Controller;
 use Throwable;
 use yii\base\InvalidConfigException;
 use yii\db\Exception;
@@ -34,10 +33,8 @@
  * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
  * @since 5.0.0
  */
-class InventoryLocationsController extends Controller
+class InventoryLocationsController extends BaseCpController
 {
-    protected array|int|bool $allowAnonymous = self::ALLOW_ANONYMOUS_NEVER;
-
     /**
      * @inheritdoc
      */
diff --git a/src/controllers/PaymentsController.php b/src/controllers/PaymentsController.php
@@ -142,9 +142,7 @@ public function actionPay(): ?Response
 
         if (!$order->getIsActiveCart() && !$checkPaymentCanBeMade) {
             $error = Craft::t('commerce', 'Email required to make payments on a completed order.');
-            return $this->asFailure($error, data: [
-                $this->_cartVariableName => $this->cartArray($order),
-            ]);
+            return $this->asFailure($error);
         }
 
         if ($order->getStore()->getRequireShippingAddressAtCheckout() && !$order->shippingAddressId) {
diff --git a/src/controllers/ProductsController.php b/src/controllers/ProductsController.php
@@ -27,7 +27,7 @@
  * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
  * @since 2.0
  */
-class ProductsController extends BaseController
+class ProductsController extends BaseCpController
 {
     /**
      * @throws InvalidConfigException
diff --git a/src/controllers/SubscriptionsController.php b/src/controllers/SubscriptionsController.php
@@ -140,6 +140,7 @@ public function actionSave(): ?Response
     public function actionRefreshPayments(): Response
     {
         $this->requirePostRequest();
+        $this->requirePermission('commerce-manageSubscriptions');
 
         $subscriptionId = $this->request->getRequiredBodyParam('subscriptionId');
 
diff --git a/src/controllers/VariantsController.php b/src/controllers/VariantsController.php
@@ -15,7 +15,7 @@
  * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
  * @since 5.0.0
  */
-class VariantsController extends BaseController
+class VariantsController extends BaseCpController
 {
     /**
      * @return Response
diff --git a/src/elements/Product.php b/src/elements/Product.php
@@ -1201,7 +1201,6 @@ public function getVariants(bool $includeDisabled = false): VariantCollection
      * @throws InvalidConfigException
      * @internal Do not use. Temporary method until we get a nested element manager provider in core.
      *
-     * TODO: Remove this once we have a nested element manager provider interface in core.
      */
     public function getAllVariants(): VariantCollection
     {
diff --git a/src/services/Carts.php b/src/services/Carts.php
@@ -279,7 +279,7 @@ public function forgetCart(): void
      */
     public function generateCartNumber(): string
     {
-        return md5(uniqid((string)mt_rand(), true));
+        return bin2hex(random_bytes(16));
     }
 
     /**
diff --git a/src/stats/TotalRevenue.php b/src/stats/TotalRevenue.php
@@ -44,6 +44,11 @@ class TotalRevenue extends Stat
      */
     public function getData(): ?array
     {
+        $allowedTypes = [self::TYPE_TOTAL, self::TYPE_TOTAL_PAID];
+        if (!in_array($this->type, $allowedTypes, true)) {
+            $this->type = self::TYPE_TOTAL;
+        }
+
         return $this->_createChartQuery(
             [
                 new Expression(sprintf('SUM([[%s]]) as revenue', $this->type)),
diff --git a/src/translations/fr/commerce.php b/src/translations/fr/commerce.php
@@ -1286,7 +1286,7 @@
     'Variant Fields' => 'Champs variante',
     'Variant Has Untracked Stock' => 'La variante a un stock non suivi',
     'Variant Price' => 'Prix de la variante',
-    'Variant SKU' => 'UGS de la variante',
+    'Variant SKU' => 'SKU de la variante',
     'Variant Search' => 'Rechercher une variante',
     'Variant Stock' => 'Stock de la variante',
     'Variant Title Format' => 'Format du titre de variante',
diff --git a/src/widgets/TotalRevenue.php b/src/widgets/TotalRevenue.php
@@ -52,6 +52,17 @@ class TotalRevenue extends Widget
      */
     private TotalRevenueStat $_stat;
 
+    /**
+     * @inheritdoc
+     */
+    protected function defineRules(): array
+    {
+        $rules = parent::defineRules();
+        $rules[] = [['type'], 'in', 'range' => [TotalRevenueStat::TYPE_TOTAL, TotalRevenueStat::TYPE_TOTAL_PAID]];
+
+        return $rules;
+    }
+
     /**
      * @inheritDoc
      */

Original file line number	Diff line number	Diff line change
`@@ -142,9 +142,7 @@ public function actionPay(): ?Response`
`142`	`142`
`143`	`143`	`if (!$order->getIsActiveCart() && !$checkPaymentCanBeMade) {`
`144`	`144`	`$error = Craft::t('commerce', 'Email required to make payments on a completed order.');`
`145`		`- return $this->asFailure($error, data: [`
`146`		`- $this->_cartVariableName => $this->cartArray($order),`
`147`		`- ]);`
	`145`	`+ return $this->asFailure($error);`
`148`	`146`	`}`
`149`	`147`
`150`	`148`	`if ($order->getStore()->getRequireShippingAddressAtCheckout() && !$order->shippingAddressId) {`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@`
`27`	`27`	`* @author Pixel & Tonic, Inc. <support@pixelandtonic.com>`
`28`	`28`	`* @since 2.0`
`29`	`29`	`*/`
`30`		`-class ProductsController extends BaseController`
	`30`	`+class ProductsController extends BaseCpController`
`31`	`31`	`{`
`32`	`32`	`/**`
`33`	`33`	`* @throws InvalidConfigException`
Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,7 @@ public function actionSave(): ?Response`
`140`	`140`	`public function actionRefreshPayments(): Response`
`141`	`141`	`{`
`142`	`142`	`$this->requirePostRequest();`
	`143`	`+ $this->requirePermission('commerce-manageSubscriptions');`
`143`	`144`
`144`	`145`	`$subscriptionId = $this->request->getRequiredBodyParam('subscriptionId');`
`145`	`146`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`* @author Pixel & Tonic, Inc. <support@pixelandtonic.com>`
`16`	`16`	`* @since 5.0.0`
`17`	`17`	`*/`
`18`		`-class VariantsController extends BaseController`
	`18`	`+class VariantsController extends BaseCpController`
`19`	`19`	`{`
`20`	`20`	`/**`
`21`	`21`	`* @return Response`
Original file line number	Diff line number	Diff line change
`@@ -1201,7 +1201,6 @@ public function getVariants(bool $includeDisabled = false): VariantCollection`
`1201`	`1201`	`* @throws InvalidConfigException`
`1202`	`1202`	`* @internal Do not use. Temporary method until we get a nested element manager provider in core.`
`1203`	`1203`	`*`
`1204`		`- * TODO: Remove this once we have a nested element manager provider interface in core.`
`1205`	`1204`	`*/`
`1206`	`1205`	`public function getAllVariants(): VariantCollection`
`1207`	`1206`	`{`
Original file line number	Diff line number	Diff line change
`@@ -279,7 +279,7 @@ public function forgetCart(): void`
`279`	`279`	`*/`
`280`	`280`	`public function generateCartNumber(): string`
`281`	`281`	`{`
`282`		`- return md5(uniqid((string)mt_rand(), true));`
	`282`	`+ return bin2hex(random_bytes(16));`
`283`	`283`	`}`
`284`	`284`
`285`	`285`	`/**`