I changed the styling of the customer panel in amelia backend.
Inserted a shortcode [ameliacustomerpanel appointments=1 events=1] on my customer-login wordpress page.
First problem: I got a working login form but not with the styling I defined in backend. The styles are your default ones.
Second problem: When I click on the password restore link, I recieve an email with a restore link but I am redirected to the wrong page (without password restore). where can I define the page link for the email? (the link in the mail is ./ but I need ./customer-page - when manually correct the link and add the query the password-change is working.)
Third problem: After changing password the corrected link is not expiring. I can use it every time I want. So it would be possible than anyone who gets the link could change the user password. How to prevent this?
When you have several questions or issues please open a new separate ticket, and we will help you there. In that way, issues and questions that are related to different subjects will be in separate tickets so other customers or our support agents can find them easily.
Our policy is to have one issue or question per ticket because of the reasons that are described already.
Thank you for understanding.
First problem: I got a working login form but not with the styling I defined in backend. The styles are your default ones. - Most likely you placed the only one 1.0 and you did not set new 2.0. You can see how to that on this link https://wpamelia.com/front-end-customer-panel-2-0/
2. Second problem: When I click on the password restore link, I recieve an email with a restore link but I am redirected to the wrong page (without password restore). where can I define the page link for the email? (the link in the mail is ./ but I need ./customer-page - when manually correct the link and add the query the password-change is working.) - The placeholder can only be link to a panel. And you can add it to for example appointment approved and in customer panels access.
You need to add a customer panel placeholder to your appointment-approved notifications like this for example
And when they book for the first time and when they click on the link they will be redirected automatically to set the password and the user name will always be the mail that they used during the purchase.
You need to do this also for customer panel access as well copy and add this %customer_panel_url% there and when they forgot password they will be able to reset it.
This should help.
3. Third problem: After changing password the corrected link is not expiring. I can use it every time I want. So it would be possible than anyone who gets the link could change the user password. How to prevent this? - Each customer gets a specific link for their profile so there is no issue. So it is not a case that "anyone" gets the link. The link goes to a customer that reset their pass and only they have access so there is no issue. And also there is no option to set that link is inactive after some time.
Should you have any further inquiries, we kindly request that you open separate tickets for each question so copy paste the question and answer and we will gladly help you there in separate ticket for each question.
We wish you all the best and hope you have a wonderful day ahead.
i was pretty shocked by your reply to my safety concerns regarding customer security with amelia.
i tried out your customer panel 2.0
the reset-password link you are sending to the email address is not expiring. that means you could use it at anytime and as often as you want. and after using it, it is also not expiring...
in your support reply you said - it's no problem...
my opignion: that is a mega big security hole and it is an absolute no-go...
think about the simple idea you are using a browser in an open network or where others can use the same workstation.
you're using the password reset link and reset the password. another one spies out the net traffic or simply uses your browser history and copies the link.
this person is able to reset your password at any time in the future. this person can crack your account and can do anything wanted with your sensitive data... holy shit...
please inform me if your planning to inactivate the token after the password change and also after a certain time of inactivity (system standard - 24h), that is essential for the usability of your customer panel...
btw. i checked the original password reset feature of wordpress. it works fine. after resetting the password the link is no longer usable. i also decreased the standard expiring time of a token from 24h to 3 min. this also works fine.
actually i found out that also the login to amelia is not the same as the basic login to wordpress but there is a cross-influence.
so please give me an advice how to solve the security problems. otherwise i see no way to maintain my purchase contract.
We have consulted our dev team and we got this feedback from them
"
The link is designed to be valid for 30 days. During the design and development of Amelia, we conduct extensive use case studies, and a significant majority of users prefer a longer link expiration period, as they believe it reduces inconvenience for end-users during login. However, if you wish to modify this duration, you can do so in the JSON settings. Please navigate to the following path to adjust the token validity (in seconds): wp_options -> amelia_settings -> roles -> customerCabinet -> tokenValidTime
"
This should assist you in achieving the desired configuration.
Should you have any additional questions, we kindly ask that each question be submitted in a separate ticket, so we can address each one thoroughly.
You can not use token and password at the same time.
So for panel login you can send either token or option for pass. And with the solution from our Dev team. You can shorter the time range how much link will be active. It can not be deactivated after clicking the link but you can set the duration how long will be active.
Should you have any further inquiries, we kindly request that you open separate tickets for each question and we will gladly help you there.
We wish you all the best and hope you have a wonderful day ahead.
the settings you mentioned are not available in my admin area of wordpress. i scanned the files and found settings that seem similar under: /mypath/wp-content/plugins/ameliabooking/src/Infrastructure/WP/InstallActions in the ActivationSettingsHook.php
is this the correct file? what about the other settings (providerCabinet and urlAttachment) are they also not deactivated when used?
Changing the tokenValidTime in the ActivationSettingsHook.php had no influence on a running system. I also found the settings hidden in the database where I also changed the tokenValidTime(s). Seems that this is working.
But for security reasons I strongly recommend to let the token expire after having reset the password. Every comparable secure application in the net does that (also wordpress itself).
I also recommend to let the admin configure the property via admin-frontend, because the hardcoded stuff may be overwritten on updates.
I changed the styling of the customer panel in amelia backend.
Inserted a shortcode [ameliacustomerpanel appointments=1 events=1] on my customer-login wordpress page.
First problem: I got a working login form but not with the styling I defined in backend. The styles are your default ones.
Second problem: When I click on the password restore link, I recieve an email with a restore link but I am redirected to the wrong page (without password restore). where can I define the page link for the email?
(the link in the mail is ./ but I need ./customer-page - when manually correct the link and add the query the password-change is working.)
Third problem: After changing password the corrected link is not expiring.
I can use it every time I want. So it would be possible than anyone who gets the link could change the user password. How to prevent this?
Hello there,
Thank you for reaching out to us.
When you have several questions or issues please open a new separate ticket, and we will help you there. In that way, issues and questions that are related to different subjects will be in separate tickets so other customers or our support agents can find them easily.
Our policy is to have one issue or question per ticket because of the reasons that are described already.
Thank you for understanding.
2. Second problem: When I click on the password restore link, I recieve an email with a restore link but I am redirected to the wrong page (without password restore). where can I define the page link for the email?
(the link in the mail is ./ but I need ./customer-page - when manually correct the link and add the query the password-change is working.) - The placeholder can only be link to a panel. And you can add it to for example appointment approved and in customer panels access.
You need to add a customer panel placeholder to your appointment-approved notifications like this for example
And when they book for the first time and when they click on the link they will be redirected automatically to set the password and the user name will always be the mail that they used during the purchase.
You need to do this also for customer panel access as well copy and add this %customer_panel_url% there and when they forgot password they will be able to reset it.
This should help.
3. Third problem: After changing password the corrected link is not expiring.I can use it every time I want. So it would be possible than anyone who gets the link could change the user password. How to prevent this? - Each customer gets a specific link for their profile so there is no issue. So it is not a case that "anyone" gets the link. The link goes to a customer that reset their pass and only they have access so there is no issue. And also there is no option to set that link is inactive after some time.
Should you have any further inquiries, we kindly request that you open separate tickets for each question so copy paste the question and answer and we will gladly help you there in separate ticket for each question.
We wish you all the best and hope you have a wonderful day ahead.
Kind Regards,
Marko Davidovic
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
hi customer support,
i was pretty shocked by your reply to my safety concerns regarding customer security with amelia.
i tried out your customer panel 2.0
the reset-password link you are sending to the email address is not expiring.
that means you could use it at anytime and as often as you want.
and after using it, it is also not expiring...
in your support reply you said - it's no problem...
my opignion: that is a mega big security hole and it is an absolute no-go...
think about the simple idea you are using a browser in an open network
or where others can use the same workstation.
you're using the password reset link and reset the password.
another one spies out the net traffic or simply uses your browser history and copies the link.
this person is able to reset your password at any time in the future.
this person can crack your account and can do anything wanted with your sensitive data...
holy shit...
please inform me if your planning to inactivate the token after the password change and also after a certain time of inactivity (system standard - 24h), that is essential for the usability of your customer panel...
btw. i checked the original password reset feature of wordpress.
it works fine. after resetting the password the link is no longer usable.
i also decreased the standard expiring time of a token from 24h to 3 min. this also works fine.
actually i found out that also the login to amelia is not the same as the basic login to wordpress
but there is a cross-influence.
so please give me an advice how to solve the security problems. otherwise i see no way to maintain my purchase contract.
best regards
uli
Hello again,
We have consulted our dev team and we got this feedback from them
"
The link is designed to be valid for 30 days. During the design and development of Amelia, we conduct extensive use case studies, and a significant majority of users prefer a longer link expiration period, as they believe it reduces inconvenience for end-users during login. However, if you wish to modify this duration, you can do so in the JSON settings. Please navigate to the following path to adjust the token validity (in seconds):
wp_options -> amelia_settings -> roles -> customerCabinet -> tokenValidTime
"
This should assist you in achieving the desired configuration.
Should you have any additional questions, we kindly ask that each question be submitted in a separate ticket, so we can address each one thoroughly.
Thank you, and we wish you a wonderful day ahead!
Kind Regards,
Marko Davidovic
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
hi marko,
thanks for your reply.
ok, i will try it out again.
and is it possible to deactivate the token, after the password is set?
that is still an essential security issue in my opignion.
best regards
uli
Hello again,
You can not use token and password at the same time.
So for panel login you can send either token or option for pass. And with the solution from our Dev team. You can shorter the time range how much link will be active. It can not be deactivated after clicking the link but you can set the duration how long will be active.
Should you have any further inquiries, we kindly request that you open separate tickets for each question and we will gladly help you there.
We wish you all the best and hope you have a wonderful day ahead.
Kind Regards,
Marko Davidovic
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
hi marko,
the settings you mentioned are not available in my admin area of wordpress.
i scanned the files and found settings that seem similar under:
/mypath/wp-content/plugins/ameliabooking/src/Infrastructure/WP/InstallActions
in the ActivationSettingsHook.php
is this the correct file?
what about the other settings (providerCabinet and urlAttachment)
are they also not deactivated when used?
best regards
uli
Changing the tokenValidTime in the ActivationSettingsHook.php had no influence on a running system.
I also found the settings hidden in the database where I also changed the tokenValidTime(s).
Seems that this is working.
But for security reasons I strongly recommend to let the token expire after having reset the password.
Every comparable secure application in the net does that (also wordpress itself).
I also recommend to let the admin configure the property via admin-frontend, because the hardcoded stuff may be overwritten on updates.
Hello again,
We will check with our Dev team is there any other options that you can set or this is the only one.
Kind Regards,
Marko Davidovic
[email protected]
Rate my support
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables