I think I've found a security risk in this contribution. My shop is currently in development and has already around 15 contributions in it. I really want to purchase without account to work correctly before I'm going to use it in my store.
Here my problem:
I have a login box where registered users can login and check their account and order history.
Now I found out that if somebody buys a product using purchase without account he actually is 'logged in' because in my login box I can't see the login fields but see welcome:(empty), my account and Logoff. (if I clink on any I go to shopping cart or checkout depending what?s in my cart)
Off course this is not correct because if the somebody clicks checkout now after he made an order he doesn't see the login, create account or purchase without account.
This means I have to figure out something that will 'logoff' only the purchase without account user at the purchase successfully page.
Could somebody please help me getting this done. I think it should be something in the checkout_succes.php like
if (tep_session_is_registered('pwa_array_customer')) {
HERE THE CODE TO LOGOFF
}
any help would be awesome...
G