Skip to content
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.

Any customer can access any other customers' orders? #2084

Open
jgschis opened this issue Apr 11, 2023 · 2 comments
Open

Any customer can access any other customers' orders? #2084

jgschis opened this issue Apr 11, 2023 · 2 comments

Comments

@jgschis
Copy link

jgschis commented Apr 11, 2023

In in the orders controller, there is a method to get an order by its id. It seems like any logged in customer could pass any order id, and the system would return it. Shouldn't the API enforce that only orders belonging to the logged in customer be returned?

method:
GetOrderAsync

file:
https://github.com/dotnet-architecture/eShopOnContainers/blob/dev/src/Services/Ordering/Ordering.API/Controllers/OrdersController.cs

 [Route("{orderId:int}")]
    [HttpGet]
    [ProducesResponseType(typeof(Order), (int)HttpStatusCode.OK)]
    [ProducesResponseType((int)HttpStatusCode.NotFound)]
    public async Task<ActionResult> GetOrderAsync(int orderId)
    {
        try
        {
            //Todo: It's good idea to take advantage of GetOrderByIdQuery and handle by GetCustomerByIdQueryHandler
            //var order customer = await _mediator.Send(new GetOrderByIdQuery(orderId));
            var order = await _orderQueries.GetOrderAsync(orderId);

            return Ok(order);
        }
        catch
        {
            return NotFound();
        }
    }
@behdad088
Copy link

Hi @jgschis
The primary focus of this project appears to be centered around architectural solutions, specifically in the realm of building and effectively managing microservices using .NET Core. However, it is worth noting that certain critical aspects, such as Authorization, have not been adequately addressed or implemented.

@Parashoe
Copy link

Parashoe commented Oct 29, 2023

Confused me as well. I'm using eShopOnContainers as a reference to learn production practices in ASP.NET and assumed proper authorization was being done. It led to a couple hours of head scratching looking if this was checked on the gateway or somehow I wasn't seeing: it "was magical" 😛.

Turns out any authenticated user can not only view but edit/cancel any order. Perhaps a comment authorization isn't implemented would be helpful.

Here are the docs on resource based authorization.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants