Prestashop: Return page should not be avalaible if returns is disabled
Describe the bug
You could access to the return page in front office even if this feature is not enable.
Expected behavior
Return page should not be avalaible if Enable returns is set to no
Steps to Reproduce
Steps to reproduce the behavior:
- Go to BO Customer Service > Merchandise Returns
- Set "enable return " to "no"
- Go to https://yourshop.tld/index.php?controller=orderfollow
This page should return a 404 error.
Screenshots
Additional information
- PrestaShop version: 1.7.6.5 1.7.7.0
- PHP version: N/A
clotairelims
All 10 comments
Thanks for opening this issue! We will help you to keep its state consistent
![prestashop-issue-bot[bot] picture](https://avatars3.githubusercontent.com/in/60395?v=4&s=40)
prestashop-issue-bot[bot]
on 19 May 2020
Hello @clotaire202, thank you for this improvement idea! Let's wait for a PM to study it. :-)
LouiseBonnard
on 20 May 2020
It's a security issue too.
clotairelims
on 20 May 2020
Okay, thanks @clotaire202, perhaps I should classify this issue as a critical bug then? @PrestaShop/prestashop-core-developers, could you please have a look at it?
LouiseBonnard
on 20 May 2020
@LouiseBonnard indeed a it's a bug that needs to be fixed, I'm not sure it's this complicated either Ideally it just requires to check the feature is enable in a controller and redirect to a 404 if needed
@clotaire202 I'm not sure there is such a threat from a security point of view since user shouldn't be able to access critical information anyway, but maybe I'm minimizing the problem
If there's a security threat it should be fixed in 1.7.7, else it will be fixed in 1.7.8 @PierreRambaud what's you opinion regarding the security problem?
jolelievre
on 26 May 2020
We are agree that there is an issue and that's probably not critical. Access to a none authorized page without possibility to exploit something... We wait for the security guru to know the severity level.
I've just added the PR to fix it in case it should be fixed quickly.
clotairelims
on 26 May 2020
@PierreRambaud If it's ok for you, the PR can go to the QA Hands ;)
Progi1984
on 27 May 2020
This one needs to target the 1.7.7.x branch. As it says, seeing an unauthorized page is a security issue. Even if it's minor.
PierreRambaud
on 27 May 2020
Thanks @PierreRambaud
Progi1984
on 27 May 2020
Fixed by #19395
Progi1984
on 28 May 2020
Related issues
sandra2n
路
3Comments
nrcjea001
路
3Comments
Prestaworks
路
3Comments
Van-peterson
路
3Comments
zuk3975
路
3Comments
Most helpful comment
@LouiseBonnard indeed a it's a bug that needs to be fixed, I'm not sure it's this complicated either Ideally it just requires to check the feature is enable in a controller and redirect to a 404 if needed
@clotaire202 I'm not sure there is such a threat from a security point of view since user shouldn't be able to access critical information anyway, but maybe I'm minimizing the problem
If there's a security threat it should be fixed in 1.7.7, else it will be fixed in 1.7.8 @PierreRambaud what's you opinion regarding the security problem?