Order & invoice details not secure [4.2.1650] - Ecommerce - Ecommerce - Progress Community

Order & invoice details not secure [4.2.1650]

 Ecommerce

Order & invoice details not secure [4.2.1650]

  • Order & invoice details not secure [4.2.1650]
  • When not logged in, the order overview page doesn't give any results, which is obvious. However the Order details and Invoice pages are hardcoded url (based on a GUID) and not secure whatsoever. 

    In my example:
    http://sitefinity421650/orderpage/order/38638005-b23c-4b2f-8e28-07104f6bbae0/
    http://sitefinity421650/orderpage/invoice/order/38638005-b23c-4b2f-8e28-07104f6bbae0/

    One would have to guess the GUID naturally, but still these pages should be secured and only be viewable to the user who's orders in contains.

    Setting Sitefinity permissions wouldn't work either, because they're role based which means customers could watch each others orders.
  • Hi Jochem,

    Thank you for reporting this issue. We have verified the issue, and it will be fixed with the service pack release.

    Kind regards,
    Venkata Koppaka
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi Venkata

    When is the service pack due?

    Cheers
    Richard
  • Hi Venkata,

    Thanks!