We noticed that randomly we were getting notified of users "paying" for their courses multiple times and when we looked into it further it seems like they had possibly bookmarked the "process.php" page that the user is redirected back to after a successful payment.
Since all that page does is check if the supplied Stripe session ID ended with a successful payment, this allows someone to re-enroll (or in our case, extend their enrollment) indefinitely. Or at least as long as that Stripe session ID is valid (at least more than a week).
Would having process.php check if the user is already enrolled in the course (maybe even if it's already using the current enrollment method) fix this?
We noticed that randomly we were getting notified of users "paying" for their courses multiple times and when we looked into it further it seems like they had possibly bookmarked the "process.php" page that the user is redirected back to after a successful payment.
Since all that page does is check if the supplied Stripe session ID ended with a successful payment, this allows someone to re-enroll (or in our case, extend their enrollment) indefinitely. Or at least as long as that Stripe session ID is valid (at least more than a week).
Would having process.php check if the user is already enrolled in the course (maybe even if it's already using the current enrollment method) fix this?