litecommerce/core

Memberships security issue?

Opened this issue · 1 comments

Hello, i have set up category memberships, so only certain users can see a product category. but if your signed in as a user without that membership (you cant see the category listed on the main page, but), you can still access that category by just changing the number in the address bar - cart.php?target=category&category_id=3. by changing the id=3 to id=2 you can access it with the wrong account. am i doing something wrong?

Hi!

This problem is fixed in X-Cart 5. Check it out here: http://www.x-cart.com/download.html