From fb2c0a253bf4bea3dd0bdef7289cf12a283cd88b Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Thu, 16 Dec 2021 14:02:50 +0000
Subject: [PATCH] Remove reference to params[:token] in
 Admin::Orders::CustomerDetailsController

params[:token] and session[:access_token] are only really used in the context of guest users in the customer-facing parts of the app. Here the user should be fully authenticated already to view the page. There aren't any URL that point at this controller which append a token to the params.
---
 .../spree/admin/orders/customer_details_controller.rb       | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb
index 8bdd0990c4..2a1f7a2595 100644
--- a/app/controllers/spree/admin/orders/customer_details_controller.rb
+++ b/app/controllers/spree/admin/orders/customer_details_controller.rb
@@ -75,14 +75,10 @@ module Spree
         end
 
         def check_authorization
-          load_order
-          session[:access_token] ||= params[:token]
-
-          resource = @order
           action = params[:action].to_sym
           action = :edit if action == :show # show route renders :edit for this controller
 
-          authorize! action, resource, session[:access_token]
+          authorize! action, @order
         end
 
         def set_guest_checkout_status