Plugin Contributor
Ewout
(@pomegranate)
Hi! Unfortunately this is not possible for security reasons: to be able to access an invoice the user needs to be logged in. There is a way to show the invoice on the thank you page, but again – only for logged in users. See the FAQ (‘How can I add a download link to the invoice on the Thank you page?’).
Hope that helps!
Ewout
i’m not sure i understand what security reasons allow you to pay a bill without logging in, but you cant see the invoice you are paying? Also in order to see the payment page to begin with you need the generated link to it, so you would need to know that link to even get to the correct invoice.
?pay_for_order=true&key=order_57860739317fe
is an example of the generated link… so its completely possible to only display the invoice link if pay_for_order = true
i just don’t know where the link code is in your plugin for downloading the generated invoice is, to add it to my template.
also the order number is not even in that key so if you have someone that can get the correct generated key for that, just by poking around my site, then let them have my customers email address lol
Plugin Contributor
Ewout
(@pomegranate)
Hi! I’ll try to explain a bit more about how the invoices are requested and how this affects security:
Basically, you get a PDF by calling the PDF invoice plugin url and adding the order number. Without any other security checks, anyone could enter any order number and get the invoice for that order (or worse, create the invoice if it wasn’t created yet, messing up the invoice numbers). To prevent this, I have added checks that the user must either be the owner of the order (logged in with the same account) or have shop manager rights.
So it’s not as much a matter of not being allowed to view the invoice of the bill you are paying, but viewing any invoice – simply put, the system needs some sort of reference to verify that you’re actually allowed to view that invoice.
It’s certainly possible to add the order key parameter to the URL and let the user pass all security checks if that key and the order number match, but I haven’t built that in yet. If you know some coding you could use the wpo_wcpdf_check_privs filter to perform such a check. Here’s an example usage of that filter: https://gist.github.com/Spreeuw/2e4c5dfa97abfca6f6cc#file-dokan-invoice-filters-php-L56-L85
Hope that helps!
Ewout
what i am saying is the page that they pay their invoice on which is the one i am trying to add the download link to already has the url structure i pasted above, it already uses a key variable in order to not display the invoice number/order number, and actually fails because the url contains the order number lol.
so i think the wpo_wcpdf_check_privs filter is what i am looking for but my concern is that if your plugin will not allow access to the pdf unless it passes checks, and the default system allows payment of invoices and order without logging in… anything i change will be wiped clean in your next update.
also as much as i appreciate security.., your plugin is protecting a pdf file… the actual order and payment page with a populated order is not protected by login… so really i applaud that your pdf file is more secure than the actual order system bult into woocommrerce… but im pretty sure the pdf file is far less dangerous to have.. since there is no security stopping someone from viewing the order in the first place…
as a matter of fact as a logged in admin i cannot view:
https://bitserved.com/checkout/order-pay/2824?pay_for_order=true&key=order_57860739317fe
but if i logout, since it is an order created for a guest(no account) i can.
so doesnt your fear of creation already exist since a “guest” would be an approved user for that order, and therefore people can add any order number and get a guests invoice?
basically the system isn’t secure to begin with in regards to viewing and paying an order, all i want to do is add access to the already created pdf file.(unless it is ALWAYS created dynamically, and then ill have to sort out that filter i guess)
i mean at this point if the pdf file exists on the server i will just add a url to the page… but i am under the impression it gets created on the fly?
Plugin Contributor
Ewout
(@pomegranate)
I’m sorry if I didn’t explain it properly. I have no fear for lack of security for this use case and don’t want to offer more security than the checkout page at all! It’s just that it requires an additional check (whether or not the order id matches the key) that I haven’t built in yet. The wpo_wcpdf_check_privs filter is a wordpress filter, so it doesn’t require you to modify any core files.
Yes the PDF is created on the fly.
Hope that clarifies it a bit!
Ewout
