Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There's a TODO item about this in the code, but it's critical enough to warrant an issue for tracking purposes... otherwise who knows how long it'll go before getting fixed. The only access check on checkout pages is user_access('access content'), so anonymous users can guess order IDs and checkout anyone's order. ; )
Comments
Comment #1
rszrama CreditAttribution: rszrama commentedOk, so all I did was change it from access content to access checkout, which already existed. I also updated the commerce_checkout_access() function to fix a few edge cases that didn't exist (but I will be spawning a separate issue to make this extensible). At the same time, I added a hook_commerce_checkout_router() to give other modules a chance to act on the routing once access has been determined and the order is ensured to not be empty. I did this so a contributed module could do something like redirect anonymous users to register / login before proceeding to checkout. In this case, you'd have to ensure anonymous users have permission to access checkout but would use the router to send them to login first.
Commit: http://github.com/rszrama/drupalcommerce/commit/a3a35a424ba7c9d205fbe864...
Comment #2
rszrama CreditAttribution: rszrama commentedAaaand added. #946954: Make commerce_checkout_access() extensible