Crowdfunding order details page user information can be traversed and leaked
The crowdfunding order details page does not have permission to view. According to the order rules, N user information is displayed.
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601131046651212
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601130158377422
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601130188934808
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601130279269456
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601131046651212
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601130158377422
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601130188934808
Http://www.lemall.com/zhongchou/orderdetails.html? Orderid = 201601130279269456
Solution:
Add judgment.