We've had client contact us about one of their customers gaining FULL access to their Ubercart shop.

They chose a product, filled in the checkout details, selected PayPal as payment choice and were redirected to PayPal to pay. He then clicked BACK on his browser to change his order. When he returned back to the site he found that he was logged in as an Administrator and had access to ALL of the shops customer details, etc.

This is the second time this has happened over the past 5 months. We've not been able to replicate the issue though.

Can anyone shed some light on this issue?

Thanks.

Comments

cha0s’s picture

cha0s commented
Status: Active » Postponed (maintainer needs more info)

Personally, I've never seen anything like this. I'm a bit skeptical, honestly.

Even assuming this bug was present, I don't see how Ubercart would be causing a user access issue, I think it would be more of a Drupal issue.

(Can't reproduce)

P.s. I'd ask this user for screenshots, again because I'm skeptical.

torgospizza’s picture

torgospizza
he/him
Primary language English
Location Portland, OR
commented

We had this issue happen once during the Alpha and Beta stages, but it wasn't an Ubercart issue. Check your access permissions for uc_order, and make sure "authenticated users" do NOT have access to "view all orders".

psynaptic’s picture

psynaptic commented

We just had something like this where the user could edit nodes, view orders and potentially access credit card details (but we don't store them).

It turns out that someone had enabled permissions for all these things for authenticated users. Epic facepalm.

Island Usurper’s picture

Island Usurper commented
Component: Website » Code
Assigned: phumo11 » Unassigned
Status: Postponed (maintainer needs more info) » Closed (won't fix)

Sounds to me like it's not something I can do anything about. I can only do so much with user errors.