0005930: control of instances over contract terms should be restricted

ID	Project	Category	View Status	Date Submitted	Last Update

0005930	Taler	mechant backend	public	2019-10-16 15:46	2021-09-02 18:23

Reporter	Florian Dold	Assigned To	Christian Grothoff
Priority	low	Severity	feature	Reproducibility	N/A
Status	closed	Resolution	fixed
Product Version	git (master)
Target Version	0.8	Fixed in Version	0.8

Summary	0005930: control of instances over contract terms should be restricted
Description	Currently, instance A can "pretend" to be instance B, by supplying the information of B in the contract terms. Unless explicitly configured, an instance should not be able to set certain fields of the contract terms, such as the merchant field. This field should be taken from the instance configuration instead.
Tags	No tags attached.

Christian Grothoff 2020-04-13 21:32 manager ~0015640	Is there a reason why you say this should be allowable by configuration? I'd simply 400 bad request such orders, unless you have a very good reason to allow it.

Christian Grothoff 2020-07-06 10:58 manager ~0016387	Fixed in d37e16a..85a0221: require 'merchant' field to be provided by backend only. We already force the merchant_pub being set by the backend.

Christian Grothoff 2021-09-02 18:23 manager ~0018377	Fix committed to master branch.

Date Modified	Username	Field	Change
2019-10-16 15:46	Florian Dold	New Issue
2019-10-16 15:46	Florian Dold	Status	new => assigned
2019-10-16 15:46	Florian Dold	Assigned To	=> Marcello Stanisci
2020-04-13 02:39	Christian Grothoff	Assigned To	Marcello Stanisci => Christian Grothoff
2020-04-13 21:32	Christian Grothoff	Note Added: 0015640
2020-04-13 21:33	Christian Grothoff	Target Version	0.7.1 => 0.8
2020-07-06 10:58	Christian Grothoff	Note Added: 0016387
2020-07-06 10:58	Christian Grothoff	Status	assigned => resolved
2020-07-06 10:58	Christian Grothoff	Resolution	open => fixed
2020-07-06 10:58	Christian Grothoff	Fixed in Version	=> 0.8
2021-08-24 16:23	Christian Grothoff	Status	resolved => closed
2021-09-02 18:22	Christian Grothoff	Changeset attached	=> Taler-merchant master 85a02216
2021-09-02 18:23	Christian Grothoff	Note Added: 0018377

merchant: master 85a02216 2020-07-06 12:52 Christian Grothoff Details Diff	fix 0005930		Affected Issues 0005930
	mod - src/backend/taler-merchant-httpd_private-post-orders.c		Diff File