Hi all,

I'm working on erpal to help me in managing my quotes and invoices.

I was trying to create an access for my customers and I saw that the invoices are accessible to any user (anonymous too) by just using that url : https://xxxxx.com/invoice/11

I don't understand how this could be possible (not any rights given to anonymous users), nor how I could give access to a complete dashboard for my customers.

Thx for your answers.

Comments

cassien created an issue.

ChoY’s picture

ChoY CreditAttribution: ChoY as a volunteer commented

Hi Cassien, you are absolutely right, This is a very serious security bug I checked it out. Same happens to all quotes and orders,
I consider it therefore as something linked to the interaction between Erpal Platform and commerce (where quotes and invoices are defined as "orders" - It should be urgently corrected with a patch or an distribution update, but I made in the last month the sad experience that the developer team behind do not contribute any more actively on Erpal platform issues.
Therefore here my short term quick solution to you and others still using ERPAL Platform:

Just add following rule redirecting anonymous users to the ERPAL Platform login page */home - After activating this rule make a cache clear and all order types are no more accessible to anonymous users. But just as I said, it is a quick, but not a good solution.

{ "rules_hide_commerce_orders" : {
    "LABEL" : "Hide Commerce orders",
    "PLUGIN" : "reaction rule",
    "OWNER" : "rules",
    "REQUIRES" : [ "rules", "entity" ],
    "ON" : { "commerce_order_view" : [] },
    "IF" : [
      { "user_has_role" : {
          "account" : [ "site:current-user" ],
          "roles" : { "value" : { "1" : "1" } }
        }
      }
    ],
    "DO" : [ { "redirect" : { "url" : "user\/login?destination=home" } } ]
  }
}

Kind Regards

cassien’s picture

cassien CreditAttribution: cassien commented

Hi ChoY,
Thanks for your answer.
I think that i'm going to use erpal locally first...
Sad that this project is not maintained anymore, it was perfectly suiting my needs.