Enforcing email access on donation history to prevent easy access through a small donation

[mathetos]

Issue Overview

Currently, if a donation form doesn't require register or login, we save a session to identify the donor based on the email address they used to donate. This also gives the non-logged-in donor the ability to see the entire donations history after donating.

Imagine it this way, maybe there's a wealthy donor that has given a lot over the course of a year. If someone wanted to know how much they donated and knew that donors email address, they could just donate with a small amount with that email address and view the entire donation history. It doesn't really matter that the email address wasn't their own because all they want is to see the donation history.

Expected Behavior

The donation history page should have some sort of verification besides a session to prevent unauthorized access to that page.

Current Behavior

Currently it just takes a small donation to access that page.

Possible Solution

Enforce email access for all non-logged-in donors regardless of which email they donated with.

[DevinWalker]

@mathetos can you please add clear steps to reproduce? Thanks

[ravinderk]

@DevinWalker @mathetos Is it similar to this issue https://github.com/WordImpress/Give/issues/1790

[mathetos]

@ravinderk No, not similar. That is related to the LINK that is sent in the email when Email Access is enabled.

My issue here is about how a donor's Donation History can be seen simply by donating a small amount with that donors email address.

I made a screencast since I think that explains it best: http://somup.com/cbjwnkV2Dk

[raftaar1191]

What I think is that here we should not show all the donation but only the last donation that s/he had made and there should be a button that will send all the donation history to his/her email id

Example:

[raftaar1191]

We can also do like how payment company do

Like sending a random number code to their email id and confirming the email id by that

[DevinWalker]

I like the email idea more.

[raftaar1191]

@DevinWalker

I think the second one is better as compared to sending all the donation in the email: https://github.com/WordImpress/Give/issues/2023#issuecomment-333043436

1> if the donor has more than 100 donation As in the email, there will be lots of text which can result that our email is being Mark as Spam and move to spam box

2> have the reusability advance if donor already had generated that code he/she can simply enter that can view the donation history no need to regenerate it again

[ravinderk]

@DevinWalker @raftaar1191 I like your second idea. https://github.com/WordImpress/Give/issues/2023#issuecomment-333043436

In addition to that, we can limit donor to use this OTP (1-4 times). If donor will not fill correct OTP then he can only see the latest donation for certain time after that try again.

[mathetos]

I chatted with @DevinWalker about this over the weekend. Really like the direction it's going. Just to summarize, I think we're agreed on the following:

1. This applies only when the donor is NOT logged-in. Logged-in donors should see their full history and not be bothered with this at all.

2. The Donation History for non-logged-in donors only appears when they have an active session. If they don't have a session at all, then of course the default Email Access or Login screen will appear as it does currently

3. For non-logged-in users who have an active donation, they get directed to their Donation Confirmation like always. If they navigate to their Donation History then they'll only see the most recent donation, but with the note below it to have an access code emailed to them to access the full history.

   • 3.a Devin suggested we could have a setting that allowed Admins to set how many recent donations would show by default. I'd suggest the following options for that kind of setting:
   • Show most recent donation
   • Show 3 most recent donations
   • Show donations made this month
   • Show donations made within the past 3 months
   • Show donations made within this calendar year

My only concern with allowing more than the most recent donation to show by default, is that it circumvents the purpose of this ticket, which is to prevent hackers from donating $1 to see a real donors actual donation history, regardless of how far back that donation might have been, it's a privacy concern. I believe showing only the most recent is the best option, not allowing additional donations to appear at all without the email access code.

[raftaar1191]

@mathetos @ravinderk @DevinWalker

Does this Mockup looks good if yes then I will start working in this

Mockup on how this setting will be going to look

Setting page:

Donation History Email:

Donation History:

Donation History After the code is being entered:

[mathetos]

I think it's overkill to have settings for the length of the code and how many times it can be generated. Decisions not Options. I'd just make those two things be filters.

Then the code should be an email tag.

[raftaar1191]

@DevinWalker Question on slack why would they have to enter a 6 digit code? Can we simply send a link with the email access token? -> Yes. but in future if user remember there code then s/he can simple enter the code and bypass the email verification process

[raftaar1191]

Yes @mathetos I also agreed with your point filter will be a great option as compared to setting as two many setting can be confusing to the site's administrator

[DevinWalker]

Here's how we should proceed with this @raftaar1191

1. Show Most Recent Donation

For non-logged-in users who have an active donation, they get directed to their Donation Confirmation like always. If they navigate to their Donation History page containing the [donation_history] shortcode then they'll only see the most recent donation, but with the note below it to have an access code emailed to them to access the full history.

• This will only display for non-logged in donors attempting to access their donation history
• This will only display if the donor has more than one donation
• Add a filter so developers can increase the number of recent donations from 1 to any number
• Add a filter so developers can customize the message that displays.

2. When "Confirm Email" is Clicked

Once the button is clicked a frontend Give notice smoothly appears above the table that instructs the donor to check their email and click on the link.

• The "Confirm Email" button changes into a message "Email Sent" (no exclamation point)
• The notice above appears with the message:

  Please check your email and click on the link within to access your complete donation history.

3. Donor Views Email

When the donor goes to their inbox they can then easily click on the link which will open in a new tab the same page with the complete donation history available.

• Link will use Email Access logic to access
• Email will be configurable post-2.0 but for now only by developers using hooks
• Email will look like:

Subject: Please confirm your email for examplewebsite.com Heading: Confirm Email Content: Dear Name,

Please click the link below to access you donation history on examplewebsite.com. If you did not request this email please contact admin@email.com.

Click here to view donation history »

4. Donor Returns to Site

When the donor returns to the site the email access token is set for the given time period under Settings and then they can view the full list of donations:

[raftaar1191]

@mehul0810 @ravinderk @DevinWalker

Please add this branch to your local branch before anyone starts working on this https://github.com/raftaar1191/Give/tree/issues-2023

[raftaar1191]

See the Video for the featured: http://youtu.be/WSiVhHdT7nc?hd=1 That is being have made in branch https://github.com/raftaar1191/Give/tree/issues-2023

[raftaar1191]

PR link: https://github.com/WordImpress/Give/pull/2395