-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core/helpers/layouts.js need some refactoring #562
Comments
Client side data is never trusted, the access is controlled in server publications in cart.js. The client should never have access to any data that the user doesn't already have permissions to access. A query such as |
Oh, I get it) Thanks for explanation. Then the last part of this issue - is this part of code is still valid? |
This is part of the functionality of This is all part of a larger incremental implementation of #148 and #517 and is used here: https://gist.github.com/newsiberian/a71f3791cdddd08c3e67#file-layout-js-L91 |
Hello, I'm going through
checkout/login
workflow and there is a bug: If guest adds a product to the cart and checkout, he will see workflow stage onecheckout/login
, BUT if he refresh the pagereactionTemplate
method will jump over this stage to second stage. I think this could happen because of this code. Currently we doesn't have Layouts collection.First question is what this snippet should do?
Second question: Please, take a look at this part. I believe, we should remove this part because this could be a security issue when user could override cart._id. The same claims for this line.
Also, there is a bug in line 41. This is a fixed version. it occurs when a guest comes to
/checkout
route for the first time visiting the site.I think I missed that this method
reactionTemplate
also used in the dashboard order.I think that this method is security sensitive, thats why I'm not changing it by myself right now.
The text was updated successfully, but these errors were encountered: