Issue #3408830 by pwolanin: Missing entity query accessCheck() call

src/Controller/RecordPayment.php

@@ -64,8 +64,9 @@ class RecordPayment extends ControllerBase {
     $order_id = $request->get('orderId');
     $order_idv2 = $request->get('orderIdV2');
     $storage = $this->entityTypeManager()->getStorage('ocf_order_confirmation');
-    $existing = $storage->getQuery()->condition('webform', $webform_submission->id())->execute();
     // Don't allow the same webform submission to be used to record multiple,
+    $query = $storage->getQuery()->accessCheck(FALSE);
+    $existing = $query->condition('webform', $webform_submission->id())->execute();
     // and also don't allow attackers to discover which sid values are valid.
     if (!$order_id || !$order_idv2 || $existing) {
       throw new NotFoundHttpException();

tests/src/Kernel/ReceiveTicketWebhookTest.php

@@ -9,6 +9,11 @@ use Drupal\webform\WebformInterface;
 use Drupal\webform\Entity\Webform;
 use Symfony\Component\HttpFoundation\Request;
 
+/**
+ * Test receive ticket webhook.
+ *
+ * @group ocf_integration
+ */
 class ReceiveTicketWebhookTest extends EntityKernelTestBase {
 
   /**