Order & invoice details not secure [4.2.1650]
When not logged in, the order overview page doesn't give any results, which is obvious. However the Order details and Invoice pages are hardcoded url (based on a GUID) and not secure whatsoever.
In my example:
http://sitefinity421650/orderpage/order/38638005-b23c-4b2f-8e28-07104f6bbae0/
http://sitefinity421650/orderpage/invoice/order/38638005-b23c-4b2f-8e28-07104f6bbae0/
One would have to guess the GUID naturally, but still these pages should be secured and only be viewable to the user who's orders in contains.
Setting Sitefinity permissions wouldn't work either, because they're role based which means customers could watch each others orders.
Hi Jochem,
Thank you for reporting this issue. We have verified the issue, and it will be fixed with the service pack release.
Kind regards,
Hi Venkata
When is the service pack due?
Cheers
Richard
Hi Venkata,
Thanks!