I was expecting that in backend (or at least in frontend) there would be a check if the order is belonging to user (or seller or admin).
It seems that anyone could access to orders of another user (thus also some additional data such as shipping address).
I was expecting that in backend (or at least in frontend) there would be a check if the order is belonging to user (or seller or admin). It seems that anyone could access to orders of another user (thus also some additional data such as shipping address).