CiviCRM Community Forums (archive)

We start having the same need for both the profile/donation and event registration at least, looks like something to be put in a common class ?

isn't the common class being: "get the user to create an account" and make these operations a logged in operation? There is always a tradeoff between security and ease of use etc. But in this case when the user is interacting with the system multiple times, an account might be simpler going forward

In the past for various client projects, we've written a "drupal dashboard" module that directs them to various places based on what they have done / need to do.  I think this is quite org specific and generalization is a wee bit harder

lobo

Pete, I asked your question in another thread: http://forum.civicrm.org/index.php/topic,4732.0.html

Now that we can send people to a profile with a checksum to log them in, our next question is how to do the same with contribute pages.

Lobo - want to share more about this Drupal dashboard - does it allow people to move across a series of Profiles without having to reenter their details, or log in?

No. The dashboard was displayed after they logged in and then directed them to various links based on their current status etc

lobo

No. You'll need to write a module to help u do that

lobo

check: http://forum.civicrm.org/index.php/topic,3905.15.html

lobo

... and here's the patch for a clean 2.0.5 installation.

Thanks for the patch Dharmatech, this got us up and running with checksums. Very pleased.

However, with the patch as it applied for us, we had an issue where any checksum would not be evaluated unless URL tracking was enabled.

Depending on URL tracking for checksums meant that an attacker could guess any checksum we mailed by iterating through the URL tracking IDs. This seems to be a security issue, both because contact's private data can be exposed, and because our contact data could be corrupted by a malicious contact.

This was happening because when URL tracking is disabled, the token type for an embedded URL is blank, and the token value is href="blah?blah{contact.checksum}"

I added a final condition to the clause to capture this, and copied code in from CRM_Utils_Token::getContactTokenReplacement() to handle this case. However you might be able to come up with cleaner code than mine.

Here's our copy of CRM/Mailing/BAO/Mailing.php. The additional code starts at line 1054.

@@ -1053,7 +1051,12 @@
           $data = CRM_Utils_Token::getContactTokenReplacement($token, $contact);
         } else if ( $type == 'action' ) {
           $data = CRM_Utils_Token::getActionTokenReplacement($token, $verp, $urls, $html);
-        }
+        } else if ( empty( $type ) ) {
+          $from  = '{contact.checksum}' ;
+          $cs    = CRM_Contact_BAO_Contact::generateChecksum( $contact['contact_id'] );
+          $value = "id={$contact['contact_id']}&cs={$cs}";
+          $data = str_replace( $from, $value, $data ) ;
+        }
         return $data;
     }

Dharmatech, can you please confirm if your 2.0.5 code works as posted without URL tracking enabled? If that's the case, we may have some other code changes interfering with the patch you supplied (and I apologise for raising this issue).

Cheers

the token is: contact.checksum and has a life of 7 days since it was generated

Its not documented very well, and hence u've not heard of it

lobo

Hi,

could you tell me where I could increase the life of contact.checksum (30 days ?).

Best regards

Brigitte