[security] Anonymous users can reuse credit cards of others when payment token is set to always

Created on 2 August 2023, over 1 year ago

Problem/Motivation

When using the token setting to always store a payment method reference, which only makes sense in combination with custom code that then does something with that (setting up subscriptions in our case), then the ID for anonymous users is not handled correctly, which results in anonymous users being able to reuse stored credit cards.

Reporting this in public because this module is not stable and it's unlikely someone but us used this setting.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇨🇭Switzerland berdir Switzerland

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024