Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi all,
I'm working on erpal to help me in managing my quotes and invoices.
I was trying to create an access for my customers and I saw that the invoices are accessible to any user (anonymous too) by just using that url : https://xxxxx.com/invoice/11
I don't understand how this could be possible (not any rights given to anonymous users), nor how I could give access to a complete dashboard for my customers.
Thx for your answers.
Comments
Comment #2
ChoY CreditAttribution: ChoY as a volunteer commentedHi Cassien, you are absolutely right, This is a very serious security bug I checked it out. Same happens to all quotes and orders,
I consider it therefore as something linked to the interaction between Erpal Platform and commerce (where quotes and invoices are defined as "orders" - It should be urgently corrected with a patch or an distribution update, but I made in the last month the sad experience that the developer team behind do not contribute any more actively on Erpal platform issues.
Therefore here my short term quick solution to you and others still using ERPAL Platform:
Just add following rule redirecting anonymous users to the ERPAL Platform login page */home - After activating this rule make a cache clear and all order types are no more accessible to anonymous users. But just as I said, it is a quick, but not a good solution.
Kind Regards
Comment #3
cassien CreditAttribution: cassien commentedHi ChoY,
Thanks for your answer.
I think that i'm going to use erpal locally first...
Sad that this project is not maintained anymore, it was perfectly suiting my needs.