From ec3dadfe68762f5773e5cb7c033f438ad842d1db Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Thu, 16 Dec 2021 13:41:04 +0000
Subject: [PATCH] Remove reference to params[:token] in PaymentsController

There seemingly shouldn't be any case where this controller actually receives a token param. There's only one place that creates urls that direct to this controller (Stripe authorization emails), and they do not attach any kind of token to the URL.

If the user is not logged in here (or doesn't have an access_token in their session), they get asked to log in.

Note to future devs: see previous commit for additional context.
---
 app/controllers/payments_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/payments_controller.rb b/app/controllers/payments_controller.rb
index 47d2004dc2..e232574b63 100644
--- a/app/controllers/payments_controller.rb
+++ b/app/controllers/payments_controller.rb
@@ -19,7 +19,7 @@ class PaymentsController < BaseController
   private
 
   def require_logged_in
-    return if session[:access_token] || params[:token] || spree_current_user
+    return if session[:access_token] || spree_current_user
 
     flash[:error] = I18n.t("spree.orders.edit.login_to_view_order")
     redirect_to main_app.root_path(anchor: "login?after_login=#{request.env['PATH_INFO']}")