Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rest api: /V1/store/websites is reachable without a valid customer key/secret #3719

Closed
spotlerbob opened this issue Mar 10, 2016 · 6 comments
Closed

Rest api: /V1/store/websites is reachable without a valid customer key/secret #3719

spotlerbob opened this issue Mar 10, 2016 · 6 comments
Assignees
@choukalos
Labels
bug report Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development

Comments

@spotlerbob
Copy link

Steps to reproduce

  1. Install Magento from develop branch.
  2. Do a call to the /rest/V1/store/websites with a non empty Consumer key, Consumer key secret, Access token and Access token secret

Expected result

  1. 401 status code

Actual result

  1. Get a 200 status code and the list of available websites
@Bbbrinks
Copy link

I have the same issue even with empty tokens

@thomvanderboon
Copy link

Same on 2.0.2

@choukalos
Copy link

This is as designed. Intent is to allow mobile shopping apps or ajax style applications to browse the catalog and purchase. You'll notice that we block some extensible data objects (inventory) from being displayed when catalog is being accessed anonymously. You'll notice that we have 3 different sets of Quote APIs to allow anonymous, logged in user and the Admin to access those business objects. When accessing Quote anonymously ( or as a logged in user ). You can only access your (one) cart. However as an Admin you can see the cart_id and access any cart that's active.

@spotlerbob do you have a concern? Can you provide details of your concern and use case as to why we shouldn't provide anonymous access to Catalog ( same properties as is available on the store front to anonymous users ).

@choukalos choukalos self-assigned this Mar 15, 2016
@Bbbrinks
Copy link

@choukalos (This is spotlerbobs actual github account) My concern is that when i'm running multiple websites on one magento instance, i might not want this information to be public. These websites/webshops might be competing webshops and i might want to hide the fact that i own both.

@choukalos
Copy link

Linking to #3786; converting to Bug

@sshrewz sshrewz added the Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development label Mar 17, 2016
@KrystynaKabannyk
Copy link

Hello @spotlerbob, the bug is fixed now. Thanks for finding and reporting the issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@choukalos choukalos

Labels
bug report Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@choukalos @Bbbrinks @MomotenkoNatalia @sshrewz @thomvanderboon @spotlerbob @KrystynaKabannyk