Author Topic: Membership application via contribution: database content changable by externals (Read 731 times)

muppel · July 27, 2011, 04:02:10 am

Hallo,

I am using membership application via contribution and profiles.

May be I am completely wrong, but the behaviour seems very strange to me: If somebody enters an e-mail in a membership application, which already exists, the data of this already existing dataset are updated with the new ones. This means, that an external person is able to modify datasets of third persons/organizations.

Is there any way to avoid this - any best practice to handle membership applications without this risk?
Thanks for any advice!

joanne · July 27, 2011, 06:35:09 am

I am no expert at this, but my suggestion would be:

Require people wanting to become members to create a drupal account first. You can create a custom profile in civicrm to use for this and under the advanced settings section you can specify what happens if there is a duplicate match (forbid, create duplicate or modify exsting).

You will need to decide how much 'matching' is enough to decide you have a duplicate - Is it just going to be based on email address or other factors as well? You set those rules in "find and merge duplicates" in the contacts menu. You need to worry about the strict rules in this case.

Once a person has a drupal account then they can join as a member.

If someone reading this has a better method please let me know, I am planning on using it for my own site.

muppel · July 27, 2011, 07:44:54 am

The page "Profile Settings", section "Advanced Settings", field "What to do upon duplicate match" has a help function, which states:

"This setting is ignored if the profile is embedded in an online contribution, membership signup or event registration form. In this case a contact match always results in the transaction being linked to the matching contact.

NOTE: If there are multiple matching contacts, the first matching record is used."

That means in a membership signup I cannot control the behaviour, when finding a duplicate.

joanne · July 27, 2011, 05:02:19 pm

That is why you get them to create a drupal account first as I suggested.

It becomes a two part process for each person.

1. Create a drupal user account where duplicates can be checked for (and stopped) in the way I described. You can set up the drupal sign up (Done in drupal under user management) so that they are automatically signed in to Drupal when they create the account and you can redirect them to the membership page.

2. Sign up for the civicrm membership. You make the membership page only visible to those who already have a drupal account. Each person has a unique drupal account, each person ends up with their own membership and an external person cannot alter the details of an existing member.

Dave Greenberg · July 28, 2011, 10:13:19 am

Quote from: muppel on July 27, 2011, 07:44:54 am

The page "Profile Settings", section "Advanced Settings", field "What to do upon duplicate match" has a help function, which states:

"This setting is ignored if the profile is embedded in an online contribution, membership signup or event registration form. In this case a contact match always results in the transaction being linked to the matching contact.

NOTE: If there are multiple matching contacts, the first matching record is used."

That means in a membership signup I cannot control the behaviour, when finding a duplicate.

Actually you can still control the behaviour by changing the Individual Strict Duplicate Matching rule so that it is less likely (or even impossible) to have a match. For example, if you NEVER want anonymous input to match (i.e. always create a new contact record) - edit that rule and set the 'weight threshold' higher than 10. You will then need to run Find Duplicates periodically using a different rule, and merge any duplicate records with their associated memberships, contributions, etc.

Alternatively, you use jchester's suggestion to require user accounts / authentication.

muppel · July 29, 2011, 02:14:10 am

Thanks Dave, your suggestions works perfect. Nevertheless, it would be very helpful to mention this in the help text (to avoid such stupid questions)!

Due to privacy reasons, I would not like to give an anonymous user any feedback about already registered e-mails, names or organizations. Otherwise you could easily check, who is already in the database of your organization.

Dave Greenberg · July 29, 2011, 03:56:30 pm

Good suggestion, added a paragraph in the help:

Quote

In all cases, the check for an existing matching contact uses the default "Individual Strict Duplicate Matching Rule" (match on email address). If you are concerned with existing contact data being over-written by anonymous visitors, you can modify this rule to make matches less likely (or even impossible). For example, if you NEVER want anonymous input to match (i.e. always create a new contact record) - edit that rule and set the 'weight threshold' higher than 10. You will then need to run Find Duplicates periodically using a different rule, and merge any duplicate records with their associated memberships, contributions, etc.

CiviCRM Community Forums (archive)

News:

Author Topic: Membership application via contribution: database content changable by externals (Read 731 times)

muppel

Membership application via contribution: database content changable by externals

joanne

Re: Membership application via contribution: database content changable by externals

muppel

Re: Membership application via contribution: database content changable by externals

joanne

Re: Membership application via contribution: database content changable by externals

Dave Greenberg

Re: Membership application via contribution: database content changable by externals

muppel

Re: Membership application via contribution: database content changable by externals

Dave Greenberg

Re: Membership application via contribution: database content changable by externals