Random user can check another user's order with the correct channelId and accountId - Headless API

•  User can consume the API without applying any sort of content restriction or authorization

/o/headless-commerce-delivery-order/v1.0/channels/${channelId}/accounts/${accountNumber}/placed-orders

• E.g.: If the user passes accountID = 1 as a parameter while they authenticated using accountID = 2, the API call will accept the request and the user can see the details and response for accountID 1

• Commerce 4.0 - DXP 7.4

• When a user is assigned View Open Orders, View Orders through an Account Role, i.e. Buyer, the user is only able to view placed orders specific to the account they have the buyer role assigned to when consuming: v1.0/channels/${channelId}/accounts/${accountNumber}/placed-orders

• When a user is assigned View Open Orders, View Orders through a Regular Role, the user is able to view all placed orders when consuming: v1.0/channels/${channelId}/accounts/${accountNumber}/placed-orders