- This topic has 1 reply, 2 voices, and was last updated 3 years, 2 months ago by
wensolutions.
- AuthorPosts
- March 5, 2020 at 10:37 pm #24425
tourist
ParticipantHi guys,
just been playing around a bit and was looking to provide a direct HTML link to the customer booking detail in the booking email and realised I could use the link http://www.website.com/account/?detail_id={booking_id}#bookings.
I then realised that when the customer is logged in that they could manually type in a different {booking_id} into the address bar and potentially look at other customer’s booking information which is less than ideal! Have I got something set up wrong or is this expected behaviour? How can we prevent customers from being able to access other customers booking info? Or rather just restrict them to looking at bookings that are relevant to them?
I tested this using a user with “WP Travel Customer” role as I’d expect the administrator to be able to view all the bookings.
Thanks,
March 6, 2020 at 7:31 am #24433wensolutions
KeymasterHello,
Actually, the issue you have reported regarding {booking_id} into address bar is unlikely to occur as the customer who will be logged in in user dashboard page cannot view the booking details made by other customer. Logged in customer only can view the booking details related to trip that has been booked by themselves.
Also, please provide us with screenrecord regarding the issue you are facing so that we can inspect the issue further.
Regards.
- AuthorPosts
- The forum ‘WP Travel’ is closed to new topics and replies.