Booking ID Posts Private?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #24425
    tourist
    Participant

    Hi guys,

    just been playing around a bit and was looking to provide a direct HTML link to the customer booking detail in the booking email and realised I could use the link http://www.website.com/account/?detail_id={booking_id}#bookings.

    I then realised that when the customer is logged in that they could manually type in a different {booking_id} into the address bar and potentially look at other customer’s booking information which is less than ideal! Have I got something set up wrong or is this expected behaviour? How can we prevent customers from being able to access other customers booking info? Or rather just restrict them to looking at bookings that are relevant to them?

    I tested this using a user with “WP Travel Customer” role as I’d expect the administrator to be able to view all the bookings.

    Thanks,

    #24433
    wensolutions
    Keymaster

    Hello,

    Actually, the issue you have reported regarding {booking_id} into address bar is unlikely to occur as the customer who will be logged in in user dashboard page cannot view the booking details made by other customer. Logged in customer only can view the booking details related to trip that has been booked by themselves.

    Also, please provide us with screenrecord regarding the issue you are facing so that we can inspect the issue further.

    Regards.

Viewing 2 posts - 1 through 2 (of 2 total)
  • The forum ‘WP Travel’ is closed to new topics and replies.