NDC OrderRetrieve service mandatory Surname check
- Sreejith S R (Unlicensed)
- Abdul Rehuman M P (Unlicensed)
Owned by Sreejith S R (Unlicensed)
Initially, we were able to retrieve the Order details using the NDC 17.2 OrderRetrieve service with OrderID alone. This was found as a security flaw since Order modification like cancellation, segment deletion can be done by anyone who can use a random OrderID.
Now as part of security check, we have introduced Surname as a mandatory field for OrderRetrieve along with OderID.
OrderRetrieve Request filter criteria will be as follows,
For a security check enabled channel, if any one tries to retrieve the Order using OrderID alone, we will be give an error message as follows,
This feature will be a access controlled and will be enabling based on the customer requirement.
Â
Release Version : JANUARY21 patch IFLYRESPM-9828
Â