Support » Plugin: Participants Database » Private id and security

  • Hi

    I’m aware of the overall security issues with this plugin and that it’s possible to edit every record just by using “?pid=[private_id]” in the end of the update page URL.

    But is it in any way possible to tighten the security, so that it is NOT possible to edit a record in this way?

    I want to only let users edit their own data by using the general update page with the [pdb_record] shortcode, where they have to use both email and the private id to get access.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author xnau webdesign

    (@xnau)

    I have an add-on called Participant Login that provides your users with a “login” type interface to gain access to their record for editing. You can configure it to accept any two fields to identify the user.

    It also has a feature to change the private ID every time it is used for added security.

    It is also possible to change the length of the private ID string if that is something you want to do.

    Hi

    If I use your addon is it the possible to disable the direct link to “?pid=[private_id]”?

    /Torben

    Plugin Author xnau webdesign

    (@xnau)

    No, not possible as long as you have your Participant Record Page set up.

    You can change the “pid” part to something that won’t be guessed, also if you use the add-on, users won’t see that URL, so they won’t know how to directly access it.

    That URL is, however, used for password recovery, so it’s not possible to have the frontend record edit set up and disable that URL. Having the PID change every time it is used will practically prevent anyone from guessing that URL.

    Mathieu Sldts

    (@mathieu-slaedts-generis)

    Hello,
    Thank you for this very usefull plugin!
    Is it in your to-do list to use another method for the password recovery?

    I was hoping aswell to prevent direct access by using the Participant Login add-on. I feel like it is wrong that an url with direct accès to personal informations exists, even if it does not seem possible to find or guess it.

    Plugin Author xnau webdesign

    (@xnau)

    Participants Database offers pretty good security, but I specifically state it is not meant for applications requiring high security. I believe the steps I have taken to protect the data are adequate, but if you feel the security is not good enough for what you want to store, you may want to look for another application that is designed for that sort of thing.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Private id and security’ is closed to new replies.