View Issue Details

IDProjectCategoryView StatusLast Update
0005930Talermechant backendpublic2020-07-06 10:58
ReporterFlorian Dold Assigned ToChristian Grothoff  
PrioritylowSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Product Versiongit (master) 
Target Version0.8Fixed in Version0.8 
Summary0005930: control of instances over contract terms should be restricted
DescriptionCurrently, instance A can "pretend" to be instance B, by supplying the information of B in the contract terms.

Unless *explicitly* configured, an instance should not be able to set certain fields of the contract terms, such as the merchant field. This field should be taken from the instance configuration instead.
TagsNo tags attached.

Activities

Christian Grothoff

2020-04-13 21:32

manager   ~0015640

Is there a reason why you say this should be allowable by configuration? I'd simply 400 bad request such orders, unless you have a very good reason to allow it.

Christian Grothoff

2020-07-06 10:58

manager   ~0016387

Fixed in d37e16a..85a0221: require 'merchant' field to be provided by backend only.
We already force the merchant_pub being set by the backend.

Issue History

Date Modified Username Field Change
2019-10-16 15:46 Florian Dold New Issue
2019-10-16 15:46 Florian Dold Status new => assigned
2019-10-16 15:46 Florian Dold Assigned To => Marcello Stanisci
2020-04-13 02:39 Christian Grothoff Assigned To Marcello Stanisci => Christian Grothoff
2020-04-13 21:32 Christian Grothoff Note Added: 0015640
2020-04-13 21:33 Christian Grothoff Target Version 0.7.1 => 0.8
2020-07-06 10:58 Christian Grothoff Note Added: 0016387
2020-07-06 10:58 Christian Grothoff Status assigned => resolved
2020-07-06 10:58 Christian Grothoff Resolution open => fixed
2020-07-06 10:58 Christian Grothoff Fixed in Version => 0.8