I can go to any pages in the account section without being logged in! Granted a bunch don't work but it is possible to raise a return for somebody else's order!
Use an event listener on HttpKernel::REQUEST to boot out any requests to the ms.account if the user is not logged in.
I can go to any pages in the account section without being logged in! Granted a bunch don't work but it is possible to raise a return for somebody else's order!
Use an event listener on
HttpKernel::REQUEST
to boot out any requests to thems.account
if the user is not logged in.