[Blocker] For an invoice already sent, there should be a downloadable link, instead of "Print" link.

[vedanshujain]

Print link regenerates the invoice, which means that organizer will not be able to see original copy of the invoice that was actually sent to the attendee. There should be a download link instead which will allow to download the original invoice from upload folder.

[iandunn]

If invoices will be stored in wp-content (and therefore publicly accessible), we should probably add a CSPRN the filename to prevent brute-force discovery. Not a huge concern, but it's easy to do.

$filename .= wp_generate_password( 12, false, false );

Core does something similar to protect the privacy exports. Here's more discussion if you're curious about the details:

https://core.trac.wordpress.org/ticket/43546#comment:23 https://core.trac.wordpress.org/ticket/43546#comment:34 (the second half of the comment)

Given the low sensitivity of these invoices, 12 is probably a good balance of privacy vs UX, but we could increase it a bit if people feel like it's not strong enough.

[avillegasn]

383160487434fdeda17f461230a8f66b9dbe6a0a generates PDF files following the naming advice stated here.