Spree::PaypalController#completion_route redirects to the order with a guest token set:
def completion_route(order)
order_path(order, :token => order.guest_token)
end
Is there a reason for this? One of our customers found their order success page with personal information indexed by Google because it was somehow able to index the page with the guest token, which means the page then becomes visible by the current browser and therefore the world. At least that's what I think is happening, I'm still trying to figure out how Spree authorisation/current order really works...
Spree::PaypalController#completion_route
redirects to the order with a guest token set:Is there a reason for this? One of our customers found their order success page with personal information indexed by Google because it was somehow able to index the page with the guest token, which means the page then becomes visible by the current browser and therefore the world. At least that's what I think is happening, I'm still trying to figure out how Spree authorisation/current order really works...
Could the token be removed from the URL?