John

Hi Cody, Is there any chance this plugin can be expanded to authenticate staff users as well?

It appears that you can still go to ~/admin/upgrade after upgrading to the latest version, and this page is not disabled after running the upgrader. This could be a security issue as it shows the full path to the Blesta installation, and someone could run the upgrade again, using up database resources.

Thank you! Worked perfectly.

Hello, I'm trying to get the admin login page to check the 'Remember me on this computer.' option by default, but I don't see the 'input type="checkbox"' in /app/views/default/admin_login.pdt anywhere, so I'm unable to set it to checked by default. Does anyone know the proper way to do this? Thanks.

I'm looking to modify where the 'Home' navigation item links to. Would anyone be willing to share a good way of doing this? Thank you.

Yes. You can not set it from there. It is hard coded into CSS (/app/views/client/bootstrap/css/styles.css). #my-info .panel-blesta > .panel-heading { background:#f1f1f1; color:#656565; }

Specifically, we are concerned about the location in the image that I have attached below. The color that is hard-coded into the template clashes with our theme. We have modified the CSS manually for now, but it would be nice to have an option to set this color.

IMHO, I believe that tickets fall under a different category than invoices or transactions, which cannot be deleted. We have multiple departments set up that anyone can email in to, and many of them are spammed constantly. Generally we just close the ticket, but an option to purge the ticket would be nice. We have no plans on deleting client or prospective client tickets, but if we want to review our support tickets, we have to sort through the spam to see tickets that really mean something. As a temporary workaround, we could create a 'Trash' department that no one is assigned to, and transfer all the junk tickets there, but an actual delete option would be really nice.

Payment Gateways should have two names. One is client facing, and one is admin facing. When our clients get email confirmations, it says "We have received your PayPal Payments Standard payment" Same thing could be said for bitpay. Most people know it by the Bitcoin name, not bitpay.

Just out of curiosity, why is this of the utmost importance?

Thank you sir!

Hello All, I'm pretty new to this development stuff, so bear with me here. I'm trying to get a list of all packages, not just the active ones. The code I am currently using is below, and I have not found a way to list all (active, restricted, inactive) packages. I'm guessing I need to change the bolded part above to something else, but I have not found what that is yet. Thank you! John

Wow I'm an idiot. Obviously my searching skills are not up to par tonight. Thanks Mike.

There are no page titles in the support manager in the client area. Did not check the beta, but this is the case for 3.6.2.

Hey Naja, I'm in the process of submitting pull requests to fix some issues with grammar in the language files. I hope to contribute to this plugin more as we test it and roll it out. John

A good workaround. Yes, even a label would be nice.

I'm trying to change our fraud screen settings so that every order (not just the first one made by a client) gets run though the fraud screening system. We have had a rash of fraudsters that order twice, and their second order automatically gets approved even though the first is marked as fraud. I swear there was a way to do this, and I must just be going crazy. Could anyone point me in the right direction? Thanks.

Probably a very good point. I will have to check that out. Thank you.

Paul, would you consider changing the login page to include email as well? Example: https://secure.inertianetworks.com/client/login Especially if you are going to allow forcing the email to be the username, this would prevent confusion.

If we went the confirmation link route, it would only get sent out for tickets that were opened by email, and it could be a per-department setting if it was turned on or not. The ticket could just have a red "Untrusted" button both in the list, and in the ticket details when you open the ticket. Kind of like client labels when you list all clients. If the client replies to the ticket via email, this should clear the red or 'unsecure' flag, as they need the ticket number and hash code in order to successfully reply. If you do it this way, you could forget the confirmation link entirely, as if it was a sensitive ticket, you could just make a predefined response saying "Please reply to this ticket for us to be able to proceed."

Ah, that might be the case then. We rarely create clients via the admin interface, and when we do, we know that the person has never had an account with us before. This is probably an oversight on Blesta's part then.

Yeah, or maybe the reply is red and says "unsecure" until they click the link. That way not every reply needs to be marked secure, but only the unsecure replies are marked as such.

I'm not sure if that is possible, as you can log in either with the email on file OR the username you chose. You choose this at sign up, and it cannot be changed without administrator intervention. It will not allow duplicate usernames or email addresses (if you chose that as your username).

With Blesta (and most other ticket systems), you can create a ticket by sending an email to the email address associated with the account. While this is a very nice convenience for clients, it also poses a security risk. Say I am trying to attack David Smith (david@smith.com), and I know he hosts with 'XHost'. All I need to do is find the support email for 'XHost' and spoof an email coming from david@smith.com saying something like this: Now, I just have to keep trying the password I asked for, and soon it will be changed. The best way to prevent this is to have an indication on each reply to say if it came in via email or the client area. That way the host could take extra precautions, like asking for a reply via the client area before sensitive actions are taken. Another thought would to have a "BoxTrapper" type system, where if you open a ticket via email, the system sends you a link to click on, and it would then mark the ticket safe.

I would really like this as well. Clients sign up, set their username as their email, and then when they come back to log in, they see a "Username" field so they try their most common usernames. They never even think to try their email address. We had to modify our login page to say "Email/Username". If we could just force everyone to use their email addresses, then this would not be an issue. If someone needs to open two different accounts, then it's not that hard to use an alias in gmail or cPanel email (such as user+alias@domain.com) for multiple accounts.