ithaki Posted December 12, 2017 Share Posted December 12, 2017 Support Can you please help us on the following: 1. When an invoice reminder is received the {$invoice_link} from the reminder email template is converted to the following: https://www.sadomain.co.za/viewinvoice.php?id=78611 2. When you click on this link the relevant invoice will open up. 3. If you change the id=78611 to any other number like id=78626, then you can view the next clients details 4. Link https://www.sadomain.co.za/viewinvoice.php?id=78611 and change the end to https://www.sadomain.co.za/viewinvoice.php?id=78626 5. So all you have to do if you want to see anyone else's invoices you just have to change the invoice ID till you find someones details that you can copy, this poses a security risk. 6. Is there a work around for this to secure the invoice ID so that no one else can see it. Link to comment Share on other sites More sharing options...
brian! Posted December 12, 2017 Share Posted December 12, 2017 56 minutes ago, ithaki said: Is there a work around for this to secure the invoice ID so that no one else can see it. this will almost certainly be occurring because you are following the links while still logged in as an admin. completely log out of the admin area, login as a client, view one of their invoices... and then try to view an invoice of another client by changing the id value in the URL... you shouldn't be able to do that. Link to comment Share on other sites More sharing options...
Recommended Posts