Fixed Guests can purchase user upgrades

Affected version
2.1.3

Kirby

Well-known member
If a guest does access /purchase/user_upgrade/?user_upgrade_id=1&payment_profile_id=1 on a XenForo installation that does have such User Upgrade and Payment Profile IDs, XF does start the payment process without verifying that the user is actualy logged in.
 

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.4).

Change log:
Prevent guests from entering user upgrade checkout flow
Any changes made as a result of this issue being resolved may not be rolled out here until later.
 
Top