Order & invoice details not secure [4.2.1650] - Sitefinity - Ecommerce

All Replies

Posted by Community Admin on 15-Aug-2011 00:00

When not logged in, the order overview page doesn't give any results, which is obvious. However the Order details and Invoice pages are hardcoded url (based on a GUID) and not secure whatsoever.

In my example:
http://sitefinity421650/orderpage/order/38638005-b23c-4b2f-8e28-07104f6bbae0/
http://sitefinity421650/orderpage/invoice/order/38638005-b23c-4b2f-8e28-07104f6bbae0/

One would have to guess the GUID naturally, but still these pages should be secured and only be viewable to the user who's orders in contains.

Setting Sitefinity permissions wouldn't work either, because they're role based which means customers could watch each others orders.

Posted by Community Admin on 18-Aug-2011 00:00

Hi Jochem,

Thank you for reporting this issue. We have verified the issue, and it will be fixed with the service pack release.

Kind regards,

Venkata Koppaka

the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 18-Aug-2011 00:00

Hi Venkata

When is the service pack due?

Cheers
Richard

Posted by Community Admin on 18-Aug-2011 00:00

Hi Venkata,

Thanks!

This thread is closed