Sub account can modify main account pay methods.

[Chris74]

Using 7.8.3 currently.

I noticed that if you create a sub account - even if it has no privileges it can use the "Payment methods" option and add / remove the main account payment methods.

Can anyone confirm that this is fixed in a later version? I've checked the changelog and I can't find anything.

[brian!]

39 minutes ago, Chris74 said:

Can anyone confirm that this is fixed in a later version? I've checked the changelog and I can't find anything.

testing in v7.10.2, a sub-account can still add/remove payment methods... even ones that they haven't added themselves.

with sub-accounts being removed / replaced n v8, I can't see this issue being fixed - but you could probably fix it with a ClientAreaPaymentMethods hook that checks whether the current user is a sub-account, and if so, redirects them away from the pay methods page.

<?php
 
# Redirect Subaccounts from Pay Methods Page Hook
# Written by brian!

function redirect_paymeethods_hook($vars) {
	
	$contactid = $vars['loggedinuser']['contactid'];
	if ($contactid) {
		header("Location: ../clientarea.php");
	}
}
add_hook('ClientAreaPaymentMethods', 1, 'redirect_paymeethods_hook');

arguably, you could add another hook to remove the link from the Navbar... it just depends how thorough you want to be from sub-accounts being aware of the pay methods page - the above hook should prevent sub-accounts from accessing it, but allow clients to do so.

Edited August 17, 2020 by brian!

[Chris74]

That will do the job perfectly Brian - thanks for that.