[security vulnerability] Arbitrary Order Detail Access Vulnerability

[GatekeeperBuster]

Recently, our team found an arbitrary order detail access vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/macrozheng/mall/blob/master/mall-portal/src/main/java/com/macro/mall/portal/service/impl/OmsPortalOrderServiceImpl.java#L390

The developer failed to check the ownership of the orderId with the access user when querying the order details via orderMapper.selectByPrimaryKey(), leading to any order can be traversed by detail/{id} to get details (i.e., https://github.com/macrozheng/mall/blob/master/mall-admin/src/main/java/com/macro/mall/controller/OmsOrderController.java#L75), leaking user privacy data (e.g., address, phone number, etc.)

We recommend that developers add the access control policy before querying via orderId to ensure that the accessor is the owner of the order.