From 33844bf77807545d666c049bb9b9ed121c7eaf56 Mon Sep 17 00:00:00 2001
From: Frank Schubert <fronk@fronk.at>
Date: Tue, 13 Dec 2022 20:15:01 +0100
Subject: [PATCH] Addd partner_id check in GET /preorder

---
 application/Api/v1/PreorderApicontroller.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/application/Api/v1/PreorderApicontroller.php b/application/Api/v1/PreorderApicontroller.php
index d0a9b308c..c9f25ce30 100644
--- a/application/Api/v1/PreorderApicontroller.php
+++ b/application/Api/v1/PreorderApicontroller.php
@@ -94,6 +94,10 @@ class PreorderApicontroller extends mfBaseApicontroller {
       }
     }
     
+    if($preorder->partner_id != $this->me->address_id) {
+      return mfResponse::NotFound(["message" => "Preorder not found"]);
+    }
+    
     $return = $preorder->getApiArray();
     if(!$return) {
       return mfResponse::NotFound(["message" => "Preorder not found"]);