CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviContribute (Moderator: Donald Lobo) »
  • Should recurring contribution pages be public?
Pages: [1]

Author Topic: Should recurring contribution pages be public?  (Read 402 times)

ken

  • I live on this forum
  • *****
  • Posts: 916
  • Karma: 53
    • City Bible Forum
  • CiviCRM version: 4.6.3
  • CMS version: Drupal 7.36
  • MySQL version: 5.5.41
  • PHP version: 5.3.10
Should recurring contribution pages be public?
March 11, 2014, 03:47:04 pm
Hi,

The pages for cancelling and updating recurring contributions are not defined as "is_public" in CRM/Contribute/xml/Menu/Contribute.xml

I'm just wondering whether they should be.
  • An anonymous user can't use them unless a checksum is provided
  • Anonymous users can't use them unless they are permissioned to "make online contributions"

Here's a patch for handling the cases of an anonymous user cancelling and updating recurring contributions. Note that I've also set 'is_ssl'  as the information is sensitive ...

Code: [Select]
--- CRM/Contribute/xml/Menu/Contribute.xml 2014-03-06 09:40:21.317635045 +1100
+++ ../cbf/php/CRM/Contribute/xml/Menu/Contribute.xml 2014-03-12 08:32:58.497775123 +1100
@@ -219,6 +219,8 @@
     <title>Cancel Subscription</title>
     <page_callback>CRM_Contribute_Form_CancelSubscription</page_callback>
     <access_arguments>make online contributions</access_arguments>
+    <is_ssl>true</is_ssl>
+    <is_public>true</is_public>
   </item>
   <item>
     <path>civicrm/contribute/onbehalf</path>
@@ -236,6 +238,8 @@
     <title>Update Subscription</title>
     <page_callback>CRM_Contribute_Form_UpdateSubscription</page_callback>
     <access_arguments>make online contributions</access_arguments>
+    <is_ssl>true</is_ssl>
+    <is_public>true</is_public>
   </item>
   <item>
     <path>civicrm/contribute/subscriptionstatus</path>

adixon

  • I post frequently
  • ***
  • Posts: 314
  • Karma: 19
    • Blackfly Solutions
Re: Should recurring contribution pages be public?
October 14, 2014, 05:46:38 am
Wouldn't this be a bad idea, security wise? Seems to me that you don't want anonymous access to these pages except via a checksum, otherwise you could have some badly behaving robots changing everyone's recurring contribution amounts ...

The ssl sounds like a good idea, but not helpful in a case for example where you've got a site using paypal that doesn't implement ssl.

ken

  • I live on this forum
  • *****
  • Posts: 916
  • Karma: 53
    • City Bible Forum
  • CiviCRM version: 4.6.3
  • CMS version: Drupal 7.36
  • MySQL version: 5.5.41
  • PHP version: 5.3.10
Re: Should recurring contribution pages be public?
October 14, 2014, 04:07:23 pm
@adixon,

The current access controls on these pages *assume* the pages are public. Anonymous users must provide a checksum, and logged in users have their access rights assessed.

Paypal is not an issue, as the page being protected is a CiviCRM page.

Thanks,

Ken
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviContribute (Moderator: Donald Lobo) »
  • Should recurring contribution pages be public?

This forum was archived on 2017-11-26.