Forums / Setup & design / Shop module
Lars Eirik R
Wednesday 17 March 2010 6:06:13 am
Hi we are working with a client and have set upt the webshop functionality locally.
I have some important questions which i would like you to answer.
One of the main problems we are facing is the fact that i may easily view other users orders.. If i am not logged in(anonymous) , i may still view all orders placed in the system by going to the url /shop/orderview/<number>
This has to be incorrect ?
Are there any smart solutions i should apply or is this related to accesscontrol?
Any help is greatly appreciated.
Jean-Luc Nguyen
Wednesday 17 March 2010 7:27:53 am
Hello,
Does you anonymous user have specific role ?
http://www.acidre.com
Wednesday 17 March 2010 9:50:52 am
hm.. i guess assigning shop -> all functions is not the best for the shop module.. Will take a look at this later.
Thanks for getting back to me.
Wednesday 17 March 2010 10:20:17 am
Hm. Only assigning the function buy does not help.
I have to add i have only tested this with accessing different orderview/<number> from the same computer.
But it seems strange that i can access another users orders.
Also.. i am not caching the website, all cache for templates and content is off.
Any ideas?
Thursday 18 March 2010 12:08:30 pm
ignore this, as it seems the user was logged in..