Jump to content

Prevent orders from clients with an unverified e-mail address


Recommended Posts

  • WHMCS Technical Analyst

Introduction

There may be use-cases where a business needs clients to verify their email address prior to permitting them to place orders.

This could be part of meeting Know-Your-Customer regulations, helping combat automated bot orders, spam or fraudulent orders.

By utilising action hooks, we can require that they have verified ownership of their e-mail address prior to being able to place an order.

This measure can form part of your multi-layered approach to combatting the risks of conducting business online.

Enable Email Verification

The first thing that we need to do is enable email verification in WHMCS - without this, adding this hook won't really achieve anything.

To do this, navigate to Configuration > System Settings > General Settings > Security (tab) in the admin area. Then, enable the Email Verification option and click Save Changes.

More information can be found in our documentation here.

Now that we've got email verification enabled, let's proceed to making our hook!

Creating the hook file

Navigate to /includes/hooks  in your WHMCS installation, and create a new file called restrictorders.php  (or something similar).

Open the file, and start by adding the opening <?php  tag, a header comment and the standard if  statement to prevent the file from being accessed directly.

 
<?php
/*
 * Prevent orders from clients with an unverified e-mail
 *
 * @author     WHMCS Josh Q <support@whmcs.com>
 * @copyright  Copyright (c) WHMCS Ltd. All Rights Reserved.
 * @link       https://www.whmcs.com/
 *
 */

if (!defined("WHMCS"))
        die("This file cannot be accessed directly");
 

Next, we'll define a new variable, ALLOW_UNVERIFIED_EMAILS , which allows us to quickly toggle whether we'd like to enable this restriction.

 
# Allow clients with unverified e-mails to place orders?
define("ALLOW_UNVERIFIED_EMAILS", false);
 

Lastly, we'll define the logic for the hook itself.

In this case, we're using the ShoppingCartValidateCheckout hook, which allows us to block orders based on our own defined logic.

We'll first check whether we're allowing accounts with unverified e-mail addresses to create orders. Where we're not (i.e. when the variable has a value of false ), we'll check whether the client a) exists and b) whether they have a verified e-mail.

The only instance in which the order can be placed is where the client exists and has verified their e-mail address.

 
add_hook("ShoppingCartValidateCheckout", 1, function($vars){
        if (ALLOW_UNVERIFIED_EMAILS!==true){
                $client = Menu::context("client");
                # If they are either not a client or they don't have a verified e-mail, prevent checkout
                if (!is_null($client) || $client->email_verified_at!==true){
                        return array("You must have verified your e-mail address to checkout.");
                }
        }
});
 

End Result

If the client has not verified their e-mail address, they'll be presented an error like the one below, and they will not be able to checkout.

image-2024-8-6_16-1-49.png.c63966c4234130ab2c9be32393559149.png

The full hook script is as follows:

 
<?php
/*
 * Prevent orders from clients with an unverified e-mail
 *
 * @author     WHMCS Josh Q <support@whmcs.com>
 * @copyright  Copyright (c) WHMCS Ltd. All Rights Reserved.
 * @link       https://www.whmcs.com/
 *
 */

if (!defined("WHMCS"))
        die("This file cannot be accessed directly");

# Allow clients with unverified e-mails to place orders?
define("ALLOW_UNVERIFIED_EMAILS", false);

add_hook("ShoppingCartValidateCheckout", 1, function($vars){
        if (ALLOW_UNVERIFIED_EMAILS!==true){
                $client = Menu::context("client");
                # If they are either not a client or they don't have a verified e-mail, prevent checkout
                if (!is_null($client) || $client->email_verified_at!==true){
                        return array("You must have verified your e-mail address to checkout.");
                }
        }
});
 

Disclaimer

Please note that this hook has not been extensively tested and is provided as-is without any obligation for support/further troubleshooting.

Use this at your discretion.

Link to comment
Share on other sites

  • WHMCS Technical Analyst
1 hour ago, bnb said:

This looks like what we need to stop spamming orders.

Is there a plan to include this in WHMCS itself witho it being just a hook?

thank you

I'm pleased that you've found this hook helpful!

There are no plans to include this in WHMCS natively at this time.

Our hook system exists to enable you to add features like this easily, and keeping this as a hook means that you are able to customise the logic behind it.

Link to comment
Share on other sites

Hi Josh,

 

f you're considering adding a similar feature for tickets, you could add a few lines where tickets can only be opened from unknown email addresses if they verify their email.

 

After a client creates a ticket, a verification email would be sent to their email address. Once they click on the verification link, the ticket would open. If not verified, the ticket would not open.

 

This would significantly reduce spam tickets and prevent email loops.

 

Josh! Josh! 🤗

 

Thanks.

 

Link to comment
Share on other sites

  • 2 weeks later...

Hello,

This does not work if this option is not selected : "Check to allow registration without ordering any products/services",  we have implemented the hook and still client can place an order and open an account.

we have dealing with bots for the last months and its driving us nuts, we have 30-50 fake accounts/orders per day.

Link to comment
Share on other sites

  • WHMCS Technical Analyst
On 03/09/2024 at 20:23, Tremfer said:

Hello,

This does not work if this option is not selected : "Check to allow registration without ordering any products/services",  we have implemented the hook and still client can place an order and open an account.

we have dealing with bots for the last months and its driving us nuts, we have 30-50 fake accounts/orders per day.

Try now. I've updated the logic used by the hook very slightly.

Link to comment
Share on other sites

On 9/9/2024 at 3:29 PM, WHMCS JoshQ said:

Try now. I've updated the logic used by the hook very slightly.

Thank you we have tested and there is an issue, client cannot register now since on the registration page its displaying message you need to have verified email to place an order and cannot continue.

So if the client tries to submit an order cannot pass the registration page.

 

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated