Multi Vendor Marketplace Plugin | WCFM Marketplace › Forums › WCFM – Feature Request › Better store invoice protection
- This topic has 11 replies, 2 voices, and was last updated 5 years, 7 months ago by WCFM Forum.
- AuthorPosts
- March 26, 2019 at 9:01 pm #54685shitTParticipant
The store invoices are stored on an upload folder, which everyone can access with the appropriate URL. As the URLs of the stores are similar, it is very easy for a store owner to find the URL of the other stores and check into their invoices…
Would it be possible to protect these files better, or generate them every time, like the packing slip or the commission-invoice instead of saving them on disc?
- March 28, 2019 at 11:30 am #54936WCFM ForumMember
Hi,
As the URLs of the stores are similar, it is very easy for a store owner to find the URL of the other stores and check into their invoices…
– Well, store Invoice are generated using store invoice prefix and number, now it’s difficult to guess.
This URLs are open because customer has access to this from their emails.
Still, we will look into this!
Thank You
- April 3, 2019 at 11:40 am #56014shitTParticipant
Hello
Thanks for your answer. I guess you know that security by obscurity is false security. So even if the name is not very easy to guess for an outsider, it can be guessed or found using brute force. And the customer has these informations, so he could very easily browse invoices of other customers.
I propose that you handle the store invoice like packing-slip or commission invoice. They are attachment to the mail.
Thank you.
- April 4, 2019 at 3:22 pm #56168WCFM ForumMember
Hi,
Well, Store Invoice send to customer as Email Attachment. Custom can not see any “Real URL” there.
Are you getting Store Invoice URL in email?
Thank You
- April 10, 2019 at 7:53 pm #57206shitTParticipant
Hi
You’re right. The customer gets the invoice as attachment. But the vendor has the information on the link and could browse invoices of other vendors by deduction.
Thanks for looking into this!
- April 11, 2019 at 5:36 pm #57321WCFM ForumMember
Hi,
But the vendor has the information on the link and could browse invoices of other vendors by deduction.
– How? Vendors are allowed to define own invoice numbers, and invoice generated using this number. Now, how a vendor able to guess/assume another vendor’s invoice number.
Thank You
- April 15, 2019 at 8:20 am #57850shitTParticipant
So you’re telling me the invoice number constitutes a guarantee for confidentiality, right?
PS: Since your last update of WCFM-U, the customer gets the URL Link under “my Account”, so your claim from 4th April (“Well, Store Invoice send to customer as Email Attachment. Custom can not see any “Real URL” there.”) is no longer true. Agree?
- April 16, 2019 at 4:34 am #58065WCFM ForumMember
HI,
Yeah right, in latest update we have added “Store Invoice” download option under My Account -> Orders
But, we have changed Store Invoice URL, place an new order and check it’s Store Invoice URL.
Now, it’s impossible to guess/assume other vendors invoice folder.
Thank You
- April 16, 2019 at 9:17 am #58110shitTParticipant
Try this:
Customer 1 orders from vendor a. His invoice URL is https://<website>/content/uploads/wcfm/vendor_invoice/<vendor_a_code>/2019/04/Invoice-000001.pdf
Customer 2 orders from vendor a. His invoice URL is https://<website>/content/uploads/wcfm/vendor_invoice/<vendor_a_code>/2019/04/Invoice-000002.pdf-> Customer 2 changes the number of invoice from 2 to 1, and sees invoice of customer 1!
-> Customer 1 changes the number of invoice from 1 to 2, and sees invoice of customer 2!
-> Vendor b orders once from vendor a, and gets the <vendor_code> of vendor a.I demonstrated that it is very easy to find out other vendors invoice folders. Agree?
If you can solve this problem, you’ve got a great plugin. If not, confidentiality is not guaranteed by your plug-in. I believe that, for any responsible marketplace owner, it should be a no-go to go live with your plug-in. I would strongly recommend you to escalate the issue internally.
- April 18, 2019 at 4:46 pm #58455WCFM ForumMember
HI,
Agreed!
We will change this invoice URL like this in next update – http://localhost/wcfm/wp-content/uploads/wcfm/vendor_invoice/c81e728d9d4c2f636f067f89cc14862c/2019/04/65684369725be7c63a49221213a928e6/invoice-000188.pdf
Thank You
- April 23, 2019 at 8:40 am #59013shitTParticipant
Hi, thanks a lot for fixing this! The order code looks safe to me:)
- April 24, 2019 at 8:55 am #59131WCFM ForumMember
Great .. you are welcome 🙂
- AuthorPosts
- The topic ‘Better store invoice protection’ is closed to new replies.