Multi Vendor Marketplace Plugin | WCFM Marketplace › Forums › WCFM › Issues on vendor profile setup page
- This topic has 7 replies, 4 voices, and was last updated 5 years, 4 months ago by nict.
- AuthorPosts
- April 26, 2019 at 4:53 pm #59577meParticipant
Hi,
I have two things to report on the dashboard/profile page where vendors can set their name, email, password, etc.
1.
Huge security issue – Changing the password for vendors is implemented in a very sloppy and dangerous way: It doesn’t ask for old password, and it doesn’t ask for repeating the new password either. All you have to do is enter something once and boom – that’s your new password. At the very least it should be implemented like on the woocommerce /my-account/edit-account page, with three separate fields: 1.current password, 2.new password, 3.confirm new password. But ideally password change should also be a completely separate tab inside profile settings.2.
The email verification field and “get code” button is always visible, even if I disable email verification in the admin settings.
I would actually prefer to use email verification, but the way it is implemented is too unconventional and disrupts the registration process too much. I can’t expect people to keep staring at the reg form, waiting for an email with a code. I’d rather deal with spam accounts than lost customers, so I had to turn it off. But then the field should also disappear from profile settings. Also, do you have any plans to implement a regular old click-the-link-in-the-email method verification? It would be so much better.Thanks a lot!
- April 27, 2019 at 10:14 am #59651WCFM ForumMember
Hi,
Huge security issue – Changing the password for vendors is implemented in a very sloppy and dangerous way: It doesn’t ask for old password, and it doesn’t ask for repeating the new password either. All you have to do is enter something once and boom – that’s your new password. At the very least it should be implemented like on the woocommerce /my-account/edit-account page, with three separate fields: 1.current password, 2.new password, 3.confirm new password. But ideally password change should also be a completely separate tab inside profile settings.
– Well, you may restrict password change from WCFM profile and only allow from WC MY Account.
WCFM Dashboard is a restricted only for logged in users, then why should we ask again old password here?
Hope you have already chnge password from wp-admin -> Users -> do you have ever have to insert re-password?
Thank You
- April 27, 2019 at 10:45 am #59655meParticipant
Look, I’m super grateful for these plugins and I understand you are very busy with all the other tasks.
But I don’t understand why you are pushing back on such obvious issues. I’m trying to help you improve your product.why should we ask again old password here?
This is industry standard design, I didn’t just invent it from thin air. Are you asking why is it the standard?
Well, for example because otherwise anyone could change other people’s passwords on unattended laptops any time.
But I repeat, this is a well established industry standard, people expect it, there is no reason to debate standards.from wp-admin -> Users -> do you have ever have to insert re-password?
That is a back-end page, operated by the admin.
I’m talking about the vendor settings page, operated by the users.
I don’t even understand that comparison, it’s apples to oranges at best.Also, clicking a link in an email for verification is also an industry standard, that’s why I asked the other question about that.
I think you should notify someone about these who understands the problem in a more holistic way.This is not for me, I could solve this on my end faster than typing this.
I’ve already hidden a lot of broken features with gettext translation filters, css, and javascript.But I thought it’s your best interest to fix these for all your other customers as well. So I took the time to report it.
If you are not interested, that’s fine for me as well. Although a bit surprising. - April 27, 2019 at 4:38 pm #59695WCFM ForumMember
Hi,
You may add this to child theme’s functions.php to disable password update option from WCFM Profile –
add_filter( 'wcfm_is_allow_update_password', '__return_false' );
Thank You
- May 3, 2019 at 8:24 pm #60545marcyParticipant
I am having the same problem – I can NOT get email verification turned off. It’s off in modules, but still shows for my vendors….
- May 3, 2019 at 8:30 pm #60546
- May 5, 2019 at 3:30 pm #60706WCFM ForumMember
HI,
Well, account email address not allowed to change.
“Email Verification” setting only for Vendor Registration form.
By default it’s always enable for vendor’s profile.
If you really want to disable this then add this line to your child theme’s functions.php –
add_filter( 'wcfm_is_allow_email_verification', '__return_false' );
Thank You
- AuthorPosts
- The topic ‘Issues on vendor profile setup page’ is closed to new replies.