Author Topic: Order detail premission  (Read 138 times)

Ohanys

  • Beginner
  • *
  • Posts: 5
Order detail premission
« on: November 10, 2017, 12:53:10 pm »
Hi,

I have big security problem.

If I login to my account, I can see orders history. I can click on orders and I can see detail. Url:

xxx.xx/order?order_number=1000

But If I rewrite url to any random exist order number, I can see it too! I can see all orders that was create without registration - THIS IS PROBLEM, I see users informations. If order created registered and loged user, access is denied - CORRECT.

Can you help me, how set order history? Every user must see only his orders.

Thank you very much.

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2625
  • VirtueMart Version: 3.2.5
Re: Order detail premission
« Reply #1 on: November 10, 2017, 18:46:30 pm »
VM version etc
regards
A

Joomla 3.8.2
php 5.6 + php 7

Ohanys

  • Beginner
  • *
  • Posts: 5
Re: Order detail premission
« Reply #2 on: November 11, 2017, 20:10:04 pm »
Joomla 3.8.2, VirtueMart 3.0.18

Venci Gentchev

  • Jr. Member
  • **
  • Posts: 153
    • Bulgarian Computer Store
Re: Order detail premission
« Reply #3 on: November 12, 2017, 07:26:18 am »
Every user sees only his orders, but the administrator can see everyone. I do not see what a problem that can be.
No pain, no gain, no site!