Fix multi-tenancy security vulnerability in OrdersController#show

The show action was not verifying that the order belongs to the
current store, allowing users to view orders from other stores if
they knew the order UUID.

The fix ensures that:
- Orders with a store_id must belong to the current_store_id
- Orders without a store_id (unassigned drafts) are accessible
- Orders from other stores return 404 Not Found

Added integration test to prevent regression.

Author: andrzejkrzywda

apps/rails_application/app/controllers/orders_controller.rb

@@ -4,10 +4,12 @@ def index
   end
 
   def show
-    @order_header = OrderHeader.find_by_uid(params[:id])
     @order = Orders.find_order(params[:id])
 
-    return not_found unless @order_header && @order
+    return not_found unless @order
+    return not_found if @order.store_id && @order.store_id != current_store_id
+
+    @order_header = OrderHeader.find_by_uid(params[:id])
   end
 
   def new

apps/rails_application/test/integration/orders_test.rb

@@ -335,6 +335,24 @@ def test_cannot_edit_order_from_different_store
     assert_response(:not_found)
   end
 
+  def test_cannot_show_order_from_different_store
+    store_id_a = SecureRandom.uuid
+    store_id_b = SecureRandom.uuid
+
+    post "/admin/stores", params: { store_id: store_id_a, name: "Store A" }
+    post "/admin/stores", params: { store_id: store_id_b, name: "Store B" }
+
+    post "/switch_store", params: { store_id: store_id_b }
+    get "/orders/new"
+    follow_redirect!
+    order_id_in_store_b = retrieve_order_id_from_url
+
+    post "/switch_store", params: { store_id: store_id_a }
+    get "/orders/#{order_id_in_store_b}"
+
+    assert_response(:not_found)
+  end
+
   private
 
   def retrieve_order_id_from_url