You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.
In in the orders controller, there is a method to get an order by its id. It seems like any logged in customer could pass any order id, and the system would return it. Shouldn't the API enforce that only orders belonging to the logged in customer be returned?
[Route("{orderId:int}")]
[HttpGet]
[ProducesResponseType(typeof(Order), (int)HttpStatusCode.OK)]
[ProducesResponseType((int)HttpStatusCode.NotFound)]
public async Task<ActionResult> GetOrderAsync(int orderId)
{
try
{
//Todo: It's good idea to take advantage of GetOrderByIdQuery and handle by GetCustomerByIdQueryHandler
//var order customer = await _mediator.Send(new GetOrderByIdQuery(orderId));
var order = await _orderQueries.GetOrderAsync(orderId);
return Ok(order);
}
catch
{
return NotFound();
}
}
The text was updated successfully, but these errors were encountered:
Hi @jgschis
The primary focus of this project appears to be centered around architectural solutions, specifically in the realm of building and effectively managing microservices using .NET Core. However, it is worth noting that certain critical aspects, such as Authorization, have not been adequately addressed or implemented.
Confused me as well. I'm using eShopOnContainers as a reference to learn production practices in ASP.NET and assumed proper authorization was being done. It led to a couple hours of head scratching looking if this was checked on the gateway or somehow I wasn't seeing: it "was magical" 😛.
Turns out any authenticated user can not only view but edit/cancel any order. Perhaps a comment authorization isn't implemented would be helpful.
In in the orders controller, there is a method to get an order by its id. It seems like any logged in customer could pass any order id, and the system would return it. Shouldn't the API enforce that only orders belonging to the logged in customer be returned?
method:
GetOrderAsync
file:
https://github.com/dotnet-architecture/eShopOnContainers/blob/dev/src/Services/Ordering/Ordering.API/Controllers/OrdersController.cs
The text was updated successfully, but these errors were encountered: