search

spree-contrib / better_spree_paypal_express

A better Spree PayPal Express Extension.
http://guides.spreecommerce.org
BSD 3-Clause "New" or "Revised" License
110 stars 269 forks source link

Redirect to order with guest token on complete #146

Closed metade closed 9 years ago

metade commented 9 years ago

Spree::PaypalController#completion_route redirects to the order with a guest token set:

  def completion_route(order)
      order_path(order, :token => order.guest_token)
    end

Is there a reason for this? One of our customers found their order success page with personal information indexed by Google because it was somehow able to index the page with the guest token, which means the page then becomes visible by the current browser and therefore the world. At least that's what I think is happening, I'm still trying to figure out how Spree authorisation/current order really works...

Could the token be removed from the URL?

alepore commented 9 years ago

i think guest token is required for anonymous checkouts (because users are not actually logged in)

alepore commented 9 years ago

merged #152