search

spree-contrib / better_spree_paypal_express

A better Spree PayPal Express Extension.
http://guides.spreecommerce.org
BSD 3-Clause "New" or "Revised" License
110 stars 269 forks source link

Don't redirect with a token. #152

Closed metade closed 9 years ago

metade commented 9 years ago

This exposes the order success page to the world which raises all sorts of privacy concerns.

alepore commented 9 years ago

@metade how can anonymous users see their order without the token?

metade commented 9 years ago

They will still be able to return to the order success page on their current browser session, but on a new browser session they would have to sign in to be able to see it.

I don't see there's much value in anonymous access to an order complete page. Usually all the details you need are in the confirmation email or if a more complex interaction is required then the user needs to sign in to perform it.

More details here: https://github.com/spree/spree/pull/6072

alepore commented 9 years ago

@metade thanks, didn't noticed it was also removed on spree