From 072fbb8f3c98e2895216469f54ae35f117eb1484 Mon Sep 17 00:00:00 2001 From: Artem Dudarev Date: Wed, 18 Sep 2024 17:05:44 +0200 Subject: [PATCH] fix: Add missing authorization to some endpoints (#431) --- .../Controllers/Api/OrderModuleController.cs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/VirtoCommerce.OrdersModule.Web/Controllers/Api/OrderModuleController.cs b/src/VirtoCommerce.OrdersModule.Web/Controllers/Api/OrderModuleController.cs index 14b08cbb..19d3bb06 100644 --- a/src/VirtoCommerce.OrdersModule.Web/Controllers/Api/OrderModuleController.cs +++ b/src/VirtoCommerce.OrdersModule.Web/Controllers/Api/OrderModuleController.cs @@ -621,6 +621,12 @@ public async Task GetInvoicePdf(string orderNumber) throw new InvalidOperationException($"Cannot find order with number {orderNumber}"); } + var authorizationResult = await _authorizationService.AuthorizeAsync(User, order, new OrderAuthorizationRequirement(ModuleConstants.Security.Permissions.Read)); + if (!authorizationResult.Succeeded) + { + return Forbid(); + } + var notification = await _notificationSearchService.GetNotificationAsync(new TenantIdentity(order.StoreId, nameof(Store))); notification.CustomerOrder = order; notification.LanguageCode = order.LanguageCode; @@ -718,6 +724,12 @@ public ActionResult GetOrderFullTextSearchEnabled() [Route("indexed/search")] public async Task> SearchCustomerOrderIndexed([FromBody] CustomerOrderIndexedSearchCriteria criteria) { + var authorizationResult = await _authorizationService.AuthorizeAsync(User, criteria, new OrderAuthorizationRequirement(ModuleConstants.Security.Permissions.Read)); + if (!authorizationResult.Succeeded) + { + return Forbid(); + } + var result = await _indexedSearchService.SearchCustomerOrdersAsync(criteria); return Content(JsonConvert.SerializeObject(result, _outputJsonSerializerSettings), "application/json"); }