+1-888-365-2779
Try Now
More in this section

Forums / Ecommerce / Order & invoice details not secure [4.2.1650]

Order & invoice details not secure [4.2.1650]

4 posts, 1 answered
  1. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    15 Aug 2011
    Link to this post
    When not logged in, the order overview page doesn't give any results, which is obvious. However the Order details and Invoice pages are hardcoded url (based on a GUID) and not secure whatsoever. 

    In my example:
    http://sitefinity421650/orderpage/order/38638005-b23c-4b2f-8e28-07104f6bbae0/
    http://sitefinity421650/orderpage/invoice/order/38638005-b23c-4b2f-8e28-07104f6bbae0/

    One would have to guess the GUID naturally, but still these pages should be secured and only be viewable to the user who's orders in contains.

    Setting Sitefinity permissions wouldn't work either, because they're role based which means customers could watch each others orders.
  2. Venkata Koppaka
    Venkata Koppaka avatar
    67 posts
    Registered:
    24 Sep 2012
    18 Aug 2011
    Link to this post
    Hi Jochem,

    Thank you for reporting this issue. We have verified the issue, and it will be fixed with the service pack release.

    Kind regards,
    Venkata Koppaka
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
    Answered
  3. Richard
    Richard avatar
    164 posts
    Registered:
    21 Nov 2009
    18 Aug 2011
    Link to this post
    Hi Venkata

    When is the service pack due?

    Cheers
    Richard
  4. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    18 Aug 2011
    Link to this post
    Hi Venkata,

    Thanks!
4 posts, 1 answered