rust/hyperswitch
1
0
Fork 0
mirror of https://github.com/juspay/hyperswitch.git synced 2025-11-04 14:07:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(router): restricted unknown customer_id to be pass in payment confirm and update call (#1758)

Browse Source 
Co-authored-by: Sahkal Poddar <sahkal.poddar@juspay.in>
This commit is contained in:
Sahkal Poddar
2023-07-24 23:47:44 +05:30
committed by GitHub
parent 7b1dc78de5
commit 32c73243c0
1 changed files with 2 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
crates/router/src/core/payments/helpers.rs
View File

@ -2615,17 +2615,8 @@ pub fn validate_customer_access(
request: &api::PaymentsRequest, request: &api::PaymentsRequest,
) -> Result<(), errors::ApiErrorResponse> { ) -> Result<(), errors::ApiErrorResponse> {
if auth_flow == services::AuthFlow::Client && request.customer_id.is_some() { if auth_flow == services::AuthFlow::Client && request.customer_id.is_some() {
let is_not_same_customer = request let is_same_customer = request.customer_id == payment_intent.customer_id;
.clone() if !is_same_customer {
.customer_id
.and_then(|customer| {
payment_intent
.clone()
.customer_id
.map(|payment_customer| payment_customer != customer)
})
.unwrap_or(false);
if is_not_same_customer {
Err(errors::ApiErrorResponse::GenericUnauthorized { Err(errors::ApiErrorResponse::GenericUnauthorized {
message: "Unauthorised access to update customer".to_string(), message: "Unauthorised access to update customer".to_string(),
})?; })?;