Hidden product only available from admin side?

[nitro]

I'd like to set up some products in my WHMCS that are only available to be added to an order by a site administrator - ie. they are not just hidden, but also "access denied" if someone tries to get to them with a direct ordering url, ie: http://mysite.com/whmcs/order.php?step=2&pid=8

 

I would like to be able to set this product so that it can only be accessed from within the admin system

 

What I am trying to achieve here is to create some custom products for my non-standard clients, and ensure that the general public can't step through and check out all my products using URLs such as:

 

http://mysite.com/whmcs/order.php?step=2&pid=1

http://mysite.com/whmcs/order.php?step=2&pid=2

http://mysite.com/whmcs/order.php?step=2&pid=3

etc...

 

I guess for now I can block access to these from within my client side templates via smarty restrictions.

[brianr]

Actually this issue is really important to me -- and may have a fairly easy fix.

 

Anyone who knows a product pid can get to it and order it, and the pids are sequential (MySQL autonumber IIRC).

 

One of the things I modded a CMS for a client to do was not reference pages by their ids, but by a hash value. It's brutal on the eyes, but fairly efficient.

 

When I saved each record in the CMS I generated a MD5 hash of the product ID and some fixed text. Then I retrieved the record by that ID in the DB.

 

Something easy enough can be done here -- in the SQL query instead of "WHERE id = $pid" why not "WHERE MD5(CONCAT(id, 'somestring')) = $spid" ?

 

For large product DBs it may be a bit harsh on the DB, but you can also pre-calculate those values and store them.

[generic]

probably be easier to just make a setting (check box) on the product for admin only, that way you can just look for that variable and if its set, check to see if the person is logged in as an admin, if their not, dont allow the page.

 

would be a good feature request.

 

for a quick fix now, on the server settings tab for the product you want hidden (admin only) why dont you just make sure you have set "Do not automatically setup this account" that way nobody can set it up automatically and you can deny any ones outside your approval.

[nitro]

probably be easier to just make a setting (check box) on the product for admin only, that way you can just look for that variable and if its set, check to see if the person is logged in as an admin, if their not, dont allow the page.

that's pretty much exactly how I'd like to see it working too

 

for a quick fix now, on the server settings tab for the product you want hidden (admin only) why dont you just make sure you have set "Do not automatically setup this account" that way nobody can set it up automatically and you can deny any ones outside your approval.

A good suggestion - however in my setup I have nothing doing automatic setup anyway - my concern is more to stop curious people from browsing through my product range.

 

Then again I guess the visitor would need a little knowledge of WHMCS or have to do a bit of background research before they could start doing a brute force scan of everyone's hidden WHMCS products offerings

[Matt]

What about people who have hidden products that they want people to be able to order when given the direct order link? The number of people doing that far outweighs the number who want the product to be totally inaccesible.

 

Matt

[generic]

hense the checkbox setting in the config idea. covers everyone. ill never use it, but it would work for nitro

[nitro]

definitely, the feature request is for a new option - so we can have hidden allowing direct order link for some products as is currently the case, and other products that can be hidden and completely inaccessible from the front end - only to be used by admin for custom invoicing.

 

at the moment I am having to remove the details from the custom products each time after use.