-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix permission for checkoutCustomerAttach mutation #5192
Fix permission for checkoutCustomerAttach mutation #5192
Conversation
Here is the report for 7df2877 (maarcingebala/saleor @ fix-checkout-attach-user-permissions) No differences were found. (click me)
# api.benchmark checkout
test name left count right count duplicate count
------------------------------------------- ----------- ----------- ---------------
add billing address to checkout 34 34 20
add shipping to checkout 7 7 0
checkout payment charge 10 10 0
complete checkout 8 8 0
create checkout 5 5 1
# api.benchmark homepage
test name left count right count duplicate count
------------------------------------------- ----------- ----------- ---------------
retrieve main menu 5 5 0
retrieve product list 4 4 0
retrieve secondary menu 5 5 0
retrieve shop 2 2 0
# api.benchmark product
test name left count right count duplicate count
------------------------------------------- ----------- ----------- ---------------
product details 18 18 4
retrieve product attributes 9 9 0
# api.benchmark variant
test name left count right count duplicate count
------------------------------------------- ----------- ----------- ---------------
product variant bulk create 51 51 3
retrieve variant list 23 23 9
# api product sorting attributes
test name left count right count duplicate count
------------------------------------------- ----------- ----------- ---------------
sort product not having attribute data 21 21 0 |
Codecov Report
@@ Coverage Diff @@
## master #5192 +/- ##
==========================================
- Coverage 91.81% 91.81% -0.01%
==========================================
Files 270 270
Lines 17491 17503 +12
Branches 1513 1516 +3
==========================================
+ Hits 16060 16071 +11
Misses 1037 1037
- Partials 394 395 +1
Continue to review full report at Codecov.
|
There is a vulnerability in the
checkoutCustomerAttach
mutation that allows assigning arbitrary customers to checkout without checking if the customer owns this checkout instance. This PR changes this behavior to only attach a checkout to the currently authenticated customer.Also
checkoutCustomerDetach
was changed to require authentication.Pull Request Checklist