-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Issue] Only deny customer access to order if it actually exists #38650
Comments
Hi @engcom-November. Thank you for working on this issue.
|
Hello @indykoning, Thank you for the report and collaboration! Could you elaborate the issue and also let us know the impact of the issue, steps to reproduce and use case. |
In our specific usecase a project wanted randomised order increment ids.
(Note us purposefully not catching NoSuchEntityException as the function is designed to always return an order. Either an existing one, or a new one) Which calls Since a completely empty Order model is returned (which it should), the Authorisation check referenced in the PR fails because it tries to check a customer id which does not exist.
By checking wether the Order exists in the first place before doing the security check we prevent this exception. |
Hello @indykoning, Thank you for the detailed explanation. Looks like you are returning a empty order, due to which Thank you. |
This issue is automatically created based on existing pull request: #38647: Only deny customer access to order if it actually exists
Description (*)
This allows loading nonexistent orders by customer.
Before: loading an empty order as a customer would trigger this check resulting in "No such entity with orderId = ", as there is no orderId yet since it doesn't exist yet.
Which means the order should be allowed.
After: Loading an empty order results in the empty order being returned, if it is a preexisting order the old checks apply
Contribution checklist (*)
The text was updated successfully, but these errors were encountered: