Jump to content

Restrict the contact us email to registered users only


Mike101za

Recommended Posts

Robots don't use the form - they just need a security token and can get one of those from anywhere. Robots already know what to POST to CubeCart. Thus, modifying the template or code that calls the template to show only to logged-in users probably won't work.

The solution then is to silently drop the processing of the POST submission if the session says this is not a logged in user. That, however, gives a false sense of completion to legitimate, but still not logged-in visitors, unless you add language to the form that makes plain that only logged-in customers will have their submissions read.

So maybe do both: not display the form unless logged in to deny legitimate visitors, and drop the processing of the robot-submitted POSTing of form data.

Be back soon.

Link to comment
Share on other sites

Using a programmer's text editor, make these changes:

In the admin skin template documents.contact.php, find near line 17:

<div><label for="status">{$LANG.common.status}</label><span><input type="hidden" name="contact[status]" id="status" value="{$CONTACT.status}" class="toggle"></span></div>

On a new blank line after that, add:

<div><label for="liuo">Logged-in users only?</label><span><input type="hidden" name="contact[liuo]" id="liuo" value="{$CONTACT.liuo}" class="toggle"></span></div>


In the file /classes/cubecart.class.php, near line 1459, find:

    /**
     * Display contact page
     */
    private function _contact()
    {
        // Contact Form
        $contact = $GLOBALS['config']->get('Contact_Form');
        if ($contact && $contact['status']) {

On a new blank line after that, add:

if(empty($contact['liuo']) || ($contact['liuo'] && !empty($GLOBALS['user']->is()))){


In the same file, near line 1571, find:

            $content = $GLOBALS['smarty']->fetch('templates/content.contact.php');
            $GLOBALS['smarty']->assign('PAGE_CONTENT', $content);

On a new blank line after that, add:

} else { $GLOBALS['gui']->setError("You must be logged in to use the Contact Us form."); httpredir('index.php'); }

In admin, bring up the Contact Form settings page. Check the box for "Logged-in users only?". Save and have CubeCart clear its internal cache.

On the storefront, not being logged in, click the Contact Us document link. You should be sent to the homepage showing a red warning banner.

Log in to the storefront. Click the link to the Contact Us document link. You should be shown the Contact Us page.

This will also thwart robots from sending specially-crafted POST submissions. Unless they first create an account.

Link to comment
Share on other sites

  • 1 year later...

Thanks Brian!

I tried this 5 times, and finally copied all your instructions out to Notepad++, and went over the cubecart,class file since I wasn't getting the toggle in Admin. I must not have copied it all correctly when I didn't copy out your instructions, but it's working now and I got the toggle! Works like a charm!

Thanks again

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...