'view pdf' url not safe, it can be accessed by non-logged in user!!!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Jake Jackson

    (@blue-liquid-designs)

    11 years, 2 months ago

    Thank you for the feedback. The security issue is something we are aware of and have fixed for the next release, due in the next week.

    If you need to fix the problem urgently you can edit pdf.php. Change line 288 from:

    if(!is_user_logged_in() && !rgempty(‘template’, $_GET) && $form_entries == 0)

    to

    if(!is_user_logged_in())

    Thread Starter OO

    (@sytdeath)

    11 years, 2 months ago

    Thank you for your reply. That is really helpful. Gravity form PDF extended is a really handy plugin. Thumb up!

    Thread Starter OO

    (@sytdeath)

    11 years, 1 month ago

    just updated to 2.1.1 without doing code hacking you suggested above, as according to the new update, this issue is fixed. Unluckily, still the pdf generation url can be accessed by non-logged in user. I simply copied the url link from Chrome where a user has logged in to a IE browser where all history has been cleaned, but the pdf link can still be accessed.

    Cheers!

    Plugin Author Jake Jackson

    (@blue-liquid-designs)

    11 years, 1 month ago

    Hi,

    A user who submits the form and has the same IP address can still access the link at a later date. We’ll be looking at one-time viewing options for front-end users in up coming editions.

    Kind Regards,

    Jake Jackson

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘'view pdf' url not safe, it can be accessed by non-logged in user!!!’ is closed to new replies.