search

craftcms / commerce

Fully integrated ecommerce for Craft CMS.
https://craftcms.com/commerce
Other
215 stars 169 forks source link

[5.x]: Users with restricted site access rights can see all orders for all sites #3446

Closed gopeter closed 3 months ago

gopeter commented 3 months ago

What happened?

Description

Users with restricted site access rights can see all orders for all sites.

Steps to reproduce

  1. Create two sites (A & B) and two shops (1 & 2) and assign them like a 1:1 relation: A --> 1 and A --> 2
  2. Create an user and restrict access to site A
  3. Create an order on site B
  4. Login as this user and view orders
  5. The user now is able to see the order that is placed on site A even if he has just access for site B

Expected behavior

The user should see just the orders that where placed on the site he has rights for.

Actual behavior

The user can view all orders, regardless of his access rights.

Craft CMS version

5.0.1

Craft Commerce version

5.0.0-beta.2

PHP version

8.2.13

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

nfourtythree commented 3 months ago

Hi @gopeter

Thank you for bringing this to our attention. We have just pushed up a fix for this issue which will be included in the next released of the Commerce 5 beta.

Thanks!

brandonkelly commented 3 months ago

Commerce 5.0.0-beta.3 is out with that fix. Thanks again @gopeter!