Hi guys,
just been playing around a bit and was looking to provide a direct HTML link to the customer booking detail in the booking email and realised I could use the link http://www.website.com/account/?detail_id={booking_id}#bookings.
I then realised that when the customer is logged in that they could manually type in a different {booking_id} into the address bar and potentially look at other customer’s booking information which is less than ideal! Have I got something set up wrong or is this expected behaviour? How can we prevent customers from being able to access other customers booking info? Or rather just restrict them to looking at bookings that are relevant to them?
I tested this using a user with “WP Travel Customer” role as I’d expect the administrator to be able to view all the bookings.
Thanks,