furioussnail Posted October 26, 2017 Report Posted October 26, 2017 Hello. If payment forms without login are allowed and the "Credit Card" payment option is enabled the "Copy Contact Information From" may expose user data. I understand the payment link is hard to guess but still... I believe no sensible data should be exposed without a login. Maybe it would be better to remove the "Contact Information" fields on payment forms without login. Thank you.
furioussnail Posted October 26, 2017 Author Report Posted October 26, 2017 By default Blesta sends invoice notifications containing the following message: "Pay Now (No login required)" Thank you.
furioussnail Posted October 27, 2017 Author Report Posted October 27, 2017 It would be nice to retain the possibility for the user to be redirected to the payment form after login. Thank you.
furioussnail Posted October 27, 2017 Author Report Posted October 27, 2017 Also, by deleting the link the form is still generated and exposed to non logged in users. I would like to avoid that. Thank you.
furioussnail Posted October 27, 2017 Author Report Posted October 27, 2017 The thing I need right is to provide a similar link but to request users to login first. Also I prefer no data to be exposed. Even it is on a hard to guess link. Maybe the devs can help with this. Thank you.
Tyson Posted October 27, 2017 Report Posted October 27, 2017 The payment URL link requires a token when you're not logged in, which is encrypted data included in the URL. No one will be able to guess it to try to steal account information from the "Copy Contact Information From" option. It is much more likely that someone could intercept the email and follow the link themselves instead. You can update the Invoice Delivery (Unpaid) email template to remove the link to {invoice.payment_url} and define a link yourself to {client_uri}pay/method/{invoice.id}. The client will be directed to login, after which they will arrive at the Make Payment page to pay for that invoice. Nelsa and activa 1 1
Recommended Posts