Any customer can access any other customers' orders?

[jgschis]

In in the orders controller, there is a method to get an order by its id. It seems like any logged in customer could pass any order id, and the system would return it. Shouldn't the API enforce that only orders belonging to the logged in customer be returned?

method:
GetOrderAsync

file:
https://github.com/dotnet-architecture/eShopOnContainers/blob/dev/src/Services/Ordering/Ordering.API/Controllers/OrdersController.cs

 [Route("{orderId:int}")]
    [HttpGet]
    [ProducesResponseType(typeof(Order), (int)HttpStatusCode.OK)]
    [ProducesResponseType((int)HttpStatusCode.NotFound)]
    public async Task<ActionResult> GetOrderAsync(int orderId)
    {
        try
        {
            //Todo: It's good idea to take advantage of GetOrderByIdQuery and handle by GetCustomerByIdQueryHandler
            //var order customer = await _mediator.Send(new GetOrderByIdQuery(orderId));
            var order = await _orderQueries.GetOrderAsync(orderId);

            return Ok(order);
        }
        catch
        {
            return NotFound();
        }
    }

[behdad088]

Hi @jgschis
The primary focus of this project appears to be centered around architectural solutions, specifically in the realm of building and effectively managing microservices using .NET Core. However, it is worth noting that certain critical aspects, such as Authorization, have not been adequately addressed or implemented.

[Parashoe]

Confused me as well. I'm using eShopOnContainers as a reference to learn production practices in ASP.NET and assumed proper authorization was being done. It led to a couple hours of head scratching looking if this was checked on the gateway or somehow I wasn't seeing: it "was magical" 😛.

Turns out any authenticated user can not only view but edit/cancel any order. Perhaps a comment authorization isn't implemented would be helpful.

Here are the docs on resource based authorization.