Joomla Extensions by Joomdonation

Deposit Completion Page

  • Donal
  • Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
9 years 6 months ago #87864 by Donal
Deposit Completion Page was created by Donal
Hi Tuan,

we have successfully used the deposit system for the current booking system, and everything is now working well.

I have 1 observation, however... There is a page setup by Event Booking, and a link to that page is sent to each user. All that changes from user to user is the registration number... , e.g.URL/index.php?option=com_eventbooking&view=payment&registrant_id=3044&Itemid=308

When a user visits that site, their first name, last name, phone number and email address is listed, along with a form where they can complete the transaction payment.

This is very insecure, as initially, I had 200 users who needed to complete payment. A reasonably proficient scripter could have very easily harvested the other user's personal details. Could you please remove the Last name, phone and email fields from this page, or point me to where that page is constructed, as we have a responsibility to care for our users' private data.

Also, what is itemID=308? This is the same on all of my reminders, and doesn't seem necessary?

Regards,
D

Please Log in or Create an account to join the conversation.

More
9 years 6 months ago - 9 years 6 months ago #87879 by James Riley
Replied by James Riley on topic Deposit Completion Page
Yikes! This really is a potential security issue! The best way around this would be to either require the user to log in (if accounts are required on a site), or for EB to include a random check code that can be appended to the URL that must match with the code stored in the database for that registration record. (eg. index.php?option=com_eventbooking&view=payment&registrant_id=3044&Itemid=308&code=72$sSA8* and the record only displays if "72$sSA8*" matches "72$sSA8*" (or the md5 hash) stored in the database). For backward compatibility, If the code is not present or incorrect, a button/link would be presented for resetting the code and resending the information to the email address on the record.

TO REMOVE THE RECORDS YOURSELF:
It looks like the file you'll want to edit is /components/com_eventbooking/view/payment/tmpl/default.php
The fields are read through the $this->form->getFields(); function and stored in $fields array. A foreach loop then iterates through the array and displays the data via the line "echo $field->getControlGroup($bootstrapHelper);".
To remove certain fields from within this PHP file, you would have to add an if statement (with the appropriate true and false conditions, of course) around the "echo $field->getControlGroup($bootstrapHelper);" to block the output of the fields that you don't want to show.
James Riley .: EventBooking user since 2014 ::: JoomDonation user since 2016 :.
.: grfx & web design / IT / AV @ St. Therese Institute of Faith and Mission, Bruno, SK, Canada :.
Last edit: 9 years 6 months ago by James Riley.

Please Log in or Create an account to join the conversation.

  • Donal
  • Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
9 years 6 months ago #88047 by Donal
Replied by Donal on topic Deposit Completion Page
Hi James,

thanks for the response and pointer to the correct file. I simply removed the entire line echo $field->getControlGroup($bootstrapHelper);
as the easiest solution for now.

Regards,
Donal

Please Log in or Create an account to join the conversation.

Moderators: Tuan Pham Ngoc

Support

Documentation

Information

Copyright © 2026 Joomla Extensions by Joomdonation. All Rights Reserved.
joomdonation.com is not affiliated with or endorsed by the Joomla! Project or Open Source Matters.
The Joomla! name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.

Connect Us