- Issue created by @loze
I may be missing something, but here is what I am seeing:
I have tokens enabled for all roles.
If I copy the url from a product using a logged in user, then open a new browser where Im not logged in (completely different browser, new session) and paste that url, The product is added to the cart.
This bypasses the whole point of the token, no? Any user can use any ones tokens.
Search engines could crawl these links, adding items to a cart.
Am I correct in assuming that only the current user should be able to use the link shown to them? If thats not the intended purpose, what is?
Thanks!
Active
2.1
Code