search

kapilt / getpaid

Automatically exported from code.google.com/p/getpaid
0 stars 0 forks source link

anybody can see anybody's order #157

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. As an admin, go to portal setup -> Get Paid
2. click on the orders tab
3. click on an order
4. Now go to this order page being an anonymous
5. You can see the page

What is the expected output? What do you see instead?
Only the person concerned by the order should be able to see the order
(unless you are logged in as a Manager)

Maurits said "Anonymous should probably only be allowed to see an order if
that order is from his own session or something." We need to find a way to
not show the sensible data to anybody.

Original issue reported on code.google.com by lucielej...@gmail.com on 15 Dec 2007 at 3:14

GoogleCodeExporter commented 8 years ago

Original comment by lucielej...@gmail.com on 15 Dec 2007 at 4:56

GoogleCodeExporter commented 8 years ago 
Discussed way to fix is to:
- revert to order history/detail needing authentication. 
- add condition to last sentence on checkout confirmation page ("You can check 
the
status of your order here") to be conditional on the user being authenticated.

Original comment by cjj.ifpe...@gmail.com on 15 Dec 2007 at 6:52

GoogleCodeExporter commented 8 years ago 
It is now fixed. But i noticed a new problem (I will enter a ticket for it). 
When you
are anonymous and order something, you receive an email with... a link to your 
order
in the site... we should check if the person is anonymous or not when we send 
the
notification email.

Original comment by lucielej...@gmail.com on 16 Dec 2007 at 6:29