- This topic has 7 replies, 4 voices, and was last updated 8 years, 10 months ago by
.
-
Posts
-
Okay – it’s late and I may be missing something obvious. Is there a trick to editing the ticket email? I followed the instructions and created a tribe-events/wootickets/email.php copy of the stock file and editing it. But changes don’t take effect. Not finding any other docs on here…
Here’s a bigger problem. I can’t use html for my tickets. The barcode file cannot be a URL. Otherwise someone could generate their own ticket. As long as they show up before the real ticket buyer, they can get in – and then the actual ticket buyer gets turned away as a fraudster! So I am going to have to revert this thing back to PDF attachments…
Hi Mike,
Glad you sorted the email template override issue.
Regarding the second problem, each ticket has a security code which is basically a hash of various bits of information – unless a fraudster had intercepted an email or somehow knew which codes were allocated he or she would have to be extremely lucky to turn up with a fake ticket that happens to have a valid code on it.
I’m not too sure how or what difference the delivery format, be it PDF or HTML, makes here.
You could be right – it would be difficult to exploit. It just isn’t very good security practice. If the PDF attached to the email only exists in that email sent to the customer, that is pretty secure. If the authentication means (the ticket w/ barcode) is available on an open server, that is not as secure as possible. True, the fraudster has to guess at the filename for the image file and also know what event that barcode goes to. But it is exploitable. And sometimes the mere existence of an exploitable system is too much temptation for some kids to resist.
But here is another important issue: with the barcode in an html msg, I have to have a folder on my webserver with every barcode for every active event – ppl could open and print those at any time between now and when an event happens (which could be 3-4 months away). Then I also need some code that knows the naming scheme for those security coded image files and deletes all those files after the event has completed. That’s some extra work and one more thing that could go wrong. If the ticket email simply generates a PDF attachment, both of these problems go away.
Hi Mike,
The first thing to highlight is, with the first generation of WooCommerce Tickets (or WooTickets as it was at that point) the PDF did not exist only in the email. The generated document was saved in the uploads directory – so reverting to the technique as used in that earlier version of the plugin wouldn’t be a silver bullet given the concerns you are outlining.
The other side of this is that if you are changing/adapting the way WooCommerce Tickets works (by adding barcodes to tickets for instance) then it’s really up to you to take responsibility for any security issues: perhaps you could take advantage of inline images within the emailed tickets (so that a copy of the image does need to remain on the server) or perhaps you could devise some other clever way of building barcodes using only HTML – but I’m afraid it’s outside the scope of support we can offer to work through that with you.
Hi, mike. It looks like you got what you need here, so I’m going to go ahead and close this thread.
If there’s anything else we can do to support you, please feel free to open a new topic.
- The topic ‘Trouble changing email.php’ is closed to new replies.