News:

Support the VirtueMart project and become a member

Main Menu

Vulnerability with Guest Checkout

Started by Amema, February 27, 2014, 08:51:14 AM

Previous topic - Next topic

Amema

I run J 2.5.18 and VM 2.0.26d

I run a co-op site with restricted membership. It's goal is to gather active participants in a field to let them co-operate, but at the same time have certain services open to just anyone interested in the field.

People cannot register their own account, but have to apply for membership based on other, real world, memberships etc. We sell stuff and use VM to sell participation in workshops, conferences etc. VM is the only extension I have found that can handle incremental price for periods, to make people make quick decisions about participation, and to "punish" those who will only make their minds up at the last minute. Application forms with "early bird" feature doesn't cut it.

I have just learned the hard and gruelling way, that I cannot have the link to Account Maintenance open only for registered members if I want Guests to be able to checkout as well.

For security reasons, I can't have the Account Maintenance menuitem set to Public, as anybody may register an account that way. It's a wide open back door constituting a real problem. I want this service exclusively for my registered members, but I still want to make it possible for Guests to checkout.

Is there an extension for this? Would it be considered a security risk built into VM or do I simply have to live with it?

I suppose I may make a hack in the code, but I don't want to solve this through core code hacking. Considering that quite a few people seem to run into this same bug (having set Account Maintenance to registered and then having insolvable problems with Guest Checkout), I'm not alone in wanting to set up my site this way.

Anyone's got any idea?
Unix server, php 5.2.17, VM 2, Joomla 1.7

jjk

#1
The latest versions of VM make use of the Joomla ACL for limiting backend access, but I'm afraid that won't work in your case. Maybe this plugin can do that:
http://extensions.joomla.org/extensions/access-a-security/site-access/frontend-access-control/6874
I think the author offers a trial version.

Maybe it is also possible to place a menu module holding the account maintenance on a seperate Joomla content page, which is set to be accessible for registered users only. But I haven't tried that, so you will have experiment with this yourself.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations