I'm not sure if this bug has already been fixed in a subsequent release, but this is a MAJOR issue in 9.0.1, as it can result in customers seeing other customers' order details. Just a single bad line of code in the MembersController PayMyOrderDetails action method causes order info to be loaded passing the Order No as the Order ID (which aren't always the same), resulting in order details from a different order (generally that of another user/customer) to be shown to the user on the Pay My Order screen, whenever the AC order numbers differ from from the order ID. For one of our clients, their order numbers and order IDs were the same until recently, but when they became different a few days ago, their customers started reporting seeing the wrong order info when clicking the Pay Now button.

On a related (but less-severe) note, the _PaymentWidget method in the CheckoutController is also doing something similar, passing the Order ID to the widget view, rather than the Order #, so it shows the wrong Order # on the header in that widget.

I have fixed all of this in our code, so we don't need a fix, but I just wanted to let everyone know, so they can be aware of this potentially-major issue. Let me know if you have any questions.

Regards,

Maximillian R. Carper
Carper Business Automation

Edited by user Friday, March 5, 2021 1:32:34 PM(UTC)  | Reason: Not specified

Thank you for your quick response and attention to this. Hopefully you proactively notify all 9.0 customers about this, since it's a customer privacy issue, and tell them how to fix it themselves, since (I believe) all customers have access to the problem code, and it's just a few lines to fix it. For those who customize AC a fair amount (as we do for our clients), upgrading to the next version can be a fairly-intense process, so a lot of times, just being able to fix the bugs in our own customized code is a lot easier.

Edited by user Monday, March 8, 2021 12:23:29 PM(UTC)  | Reason: Not specified