Emailing Attendee Report

  • Post date

Home Forums Ticket Products Community Tickets Emailing Attendee Report

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • April 10, 2017 at 5:08 pm #1267977
    Joseph
    Participant

    Hello,

    I have found a huge security flaw in the Community Tickets backend. When emailing a report, the “Send the attendee list by email” section show two dropdown boxes. One is ‘Select a User’ and the other is ‘Email Address’. Under ‘Select a User’, you can see a list of other promoters (organizers) and customers as well! How do I remove the ‘Select a User’ section and only allow it to be sent to a specific email address? I do not want my promoters to see other promoters information as well as customers. See attached. This is very bad! Please advise.

    Thank you!

    Joseph

    April 12, 2017 at 10:29 pm #1269277
    Victor
    Keymaster

    Hi Joseph!

    Thanks for reaching out to us and reporting this.

    I could reproduce the issue you are having and after reaching out to the team we’ve come to agree this is something we should consider modifying in the future or making it a choice to be able to see all the users or not.

    I have logged a report for this and the team will address it in a future release. While I cannot say exactly when the team will get down to it, rest assured it will be taken into account and you will be notified about it.

    As a workaround, I’ve come up with a quick temporary solution to only show only the current event author in the dropdown. You should modify the attendees-email.php file located in /wp-content/plugins/event-tickets/src/admin-views/attendees-email.php

    At around line 12 you should find an array with the following code:

    array(
    'name' => 'email_to_user',
    'id' => 'email_to_user',
    'show_option_none' => esc_html__( 'Select...', 'event-tickets' ),
    'selected' => '',
    )

    You should add a line after 'selected' => '', and include the code 'include' => get_current_user_id() it should look like this:

    array(
    'name' => 'email_to_user',
    'id' => 'email_to_user',
    'show_option_none' => esc_html__( 'Select...', 'event-tickets' ),
    'selected' => '',
    'include' => get_current_user_id()
    )

    Bear in mind this is not ideal as it involves modifying one of the Event Tickets core file. So, if you update the plugin the previous file will be overwritten. That said, I will reach the team to come up with a more stable workaround and will get back to you as soon as I have one.

    I’m sorry for the inconvenience and let me know if you have any questions.

    Best!
    Victor

    April 13, 2017 at 10:15 am #1269620
    Joseph
    Participant

    That worked! Thank you very much!

    April 13, 2017 at 9:36 pm #1269856
    Victor
    Keymaster

    Hey Joseph!

    Thanks for letting us know about that! We’ll keep you posted for any update on the issue.

    Cheers!
    Victor

    July 13, 2017 at 2:52 pm #1320876
    Victor
    Keymaster

    Hello Joseph!

    Just wanted to share with you that a new maintenance release (for the Week of 10th July 2017) is out, including a fix for this issue 🙂

    Find out more about this release → https://theeventscalendar.com/maintenance-release-week-10th-july-2017/

    Please update the plugins and let us know if the fix works for your site,

    Best,
    Victor

    August 4, 2017 at 9:35 am #1330781
    Support Droid
    Keymaster

    Hey there! This thread has been pretty quiet for the last three weeks, so we’re going to go ahead and close it to avoid confusion with other topics. If you’re still looking for help with this, please do open a new thread, reference this one and we’d be more than happy to continue the conversation over there.

    Thanks so much!
    The Events Calendar Support Team

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • The topic ‘Emailing Attendee Report’ is closed to new replies.