From 128b34e2572768281367efc502d6e90d8de49cb9 Mon Sep 17 00:00:00 2001 From: Niklas Meinzer Date: Sun, 28 Jun 2026 11:33:36 +0200 Subject: [PATCH] Add users can see orders for their accounts --- src/allmende_payment_system/api/shop.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/allmende_payment_system/api/shop.py b/src/allmende_payment_system/api/shop.py index 7c84f41..6b43012 100644 --- a/src/allmende_payment_system/api/shop.py +++ b/src/allmende_payment_system/api/shop.py @@ -139,7 +139,7 @@ async def get_order_details( query = select(Order).where(Order.id == order_id) order = session.scalars(query).one() - if user.id != order.user_id: + if order.transaction.account not in user.accounts: raise HTTPException( status_code=403, detail=f"User not authorized to view this order." )