Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security: Only allow Importer::Order for admins
Any user with an API key has access to the Api::Orders#create endpoint. This exposed some functionality from Importer::Order.import that should not be exposed to regular users. This commit changes Api::Order#create to only use Importer::Order.import on requests from admin users. For users without the :admin permission on orders, it will use OrderUpdateAttributes, and take the same parameters as the Api::Order#update endpoint.
- Loading branch information