From d5af9cbbe2ae0a8af8a6dfe5ce9aea439298dd82 Mon Sep 17 00:00:00 2001
From: Tom Dallimore <me@tomdallimore.com>
Date: Fri, 21 Oct 2016 13:18:16 +0700
Subject: [PATCH] Finished tightening security for the order success and failed
 actions.

---
 app/controllers/concerns/cart_builder.rb |  4 ++++
 app/controllers/orders_controller.rb     | 12 ++++--------
 config/initializers/session_store.rb     |  6 +++++-
 lib/payatron_4000.rb                     |  4 ----
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/app/controllers/concerns/cart_builder.rb b/app/controllers/concerns/cart_builder.rb
index 088da3d8b..ab498e640 100644
--- a/app/controllers/concerns/cart_builder.rb
+++ b/app/controllers/concerns/cart_builder.rb
@@ -18,5 +18,9 @@ def set_cart_totals
         def set_grouped_countries
             @grouped_countries = [Country.popular.map{ |country| [country.name, country.id] }, Country.all.order('name ASC').map{ |country| [country.name, country.id] }] 
         end
+
+        def set_order_id_session
+            session[:order_id] = @order.id
+        end
     end
 end
\ No newline at end of file
diff --git a/app/controllers/orders_controller.rb b/app/controllers/orders_controller.rb
index ff60c3968..e232b094a 100644
--- a/app/controllers/orders_controller.rb
+++ b/app/controllers/orders_controller.rb
@@ -15,7 +15,7 @@ def complete
     end
 
     def success
-      set_success_order
+      set_session_order
       if @order.latest_transaction.pending? || @order.latest_transaction.completed?
         render theme_presenter.page_template_path('orders/success'), layout: theme_presenter.layout_template_path
       else
@@ -26,7 +26,7 @@ def success
     end
 
     def failed
-      set_failed_order
+      set_session_order
       if @order.latest_transaction.failed?
         render theme_presenter.page_template_path('orders/failed'), layout: theme_presenter.layout_template_path
       else
@@ -53,12 +53,8 @@ def destroy
 
     private
 
-    def set_success_order
-      @order = Order.active.includes(:delivery_address).find(Rails.cache.read("#{Store.settings.name}_success_order_id"))
-    end
-
-    def set_failed_order
-      @order = Order.active.includes(:transactions).find(Rails.cache.read("#{Store.settings.name}_failed_order_id"))
+    def set_session_order
+      @order = Order.active.includes(:delivery_address).find(session[:order_id])
     end
 
     def set_order
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 447fbbafd..436c6dc5a 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,7 +1,11 @@
 # Be sure to restart your server when you modify this file.
 
 # Trado::Application.config.session_store :cookie_store, key: '_trado_session'
-Trado::Application.config.session_store ActionDispatch::Session::CacheStore
+Trado::Application.config.session_store(
+    ActionDispatch::Session::CacheStore,
+    key: '_trado_session',
+    expire_after: 24.hours
+)
 
 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information
diff --git a/lib/payatron_4000.rb b/lib/payatron_4000.rb
index 7d63515f8..d2e972667 100644
--- a/lib/payatron_4000.rb
+++ b/lib/payatron_4000.rb
@@ -48,9 +48,5 @@ def order_pay_provider_valid? order, params
                 Modulatron4000.stripe? && order.stripe_customer_id.present?
             end
         end
-
-        def set_order_id_session order_id, status
-            Rails.cache.write("#{Store.settings.name}_#{status}_order_id", order_id, expires_in: 1.hour)
-        end
     end  
 end
\ No newline at end of file