By using this link /admin/commerce/orders/%/reorder users can add the content of any order to their cart.

CommentFileSizeAuthor
#3 1322346-allow_reorder_only_own_orders-3.patch603 bytespcambra

Comments

pcambra’s picture

pcambra
he/him
Primary language Spanish
commented
Priority: Normal » Critical
ikos’s picture

ikos commented
Assigned: Unassigned » ikos

Hi,

Yes critical one - won't be hard to fix though. I'll put a fix in tonight.

Richard

pcambra’s picture

pcambra
he/him
Primary language Spanish
commented
Status: Active » Needs review
StatusFileSize
new 1322346-allow_reorder_only_own_orders-3.patch603 bytes

Ok this is happening only when the user has permission to see his own orders and also the reorder permission, then they can reorder whatever order they want from other users, not a best practice at all!

The problem is that drupal_access_denied() doesn't break the workflow of code (I thought it did) and thus it throws an access denied but it reorders the thing anyways.

I've added a return and also removed the message as in an access denied there's no further information to give, we don't want to give clues to malicious users, do we?

Patch attached for review, if it fixes the problem for you I'll commit it right away.

dawick’s picture

dawick commented
Status: Needs review » Reviewed & tested by the community

Patch solves the issue, thanks for the quick fix.

Rgds,

Koen

pcambra’s picture

pcambra
he/him
Primary language Spanish
commented
Status: Reviewed & tested by the community » Fixed

Let's commit this then as it is something urgent to fix.

dawick thanks for the report and the feedback!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.