Remove reference to params[:token] in Admin::Orders::CustomerDetailsController

params[:token] and session[:access_token] are only really used in the context of guest users in the customer-facing parts of the app. Here the user should be fully authenticated already to view the page. There aren't any URL that point at this controller which append a token to the params.
2026-01-24 20:36:49 +00:00 · 2021-12-16 14:02:50 +00:00
parent ec3dadfe68
commit fb2c0a253b
1 changed files with 1 additions and 5 deletions
--- a/app/controllers/spree/admin/orders/customer_details_controller.rb
+++ b/app/controllers/spree/admin/orders/customer_details_controller.rb
@@ -75,14 +75,10 @@ module Spree
        end

        def check_authorization
-          load_order
-          session[:access_token] ||= params[:token]
-
-          resource = @order
          action = params[:action].to_sym
          action = :edit if action == :show # show route renders :edit for this controller

-          authorize! action, resource, session[:access_token]
+          authorize! action, @order
        end

        def set_guest_checkout_status