While testing my API system, i have created several “test” clients.
For some of these clients i used the same email address
Each client is given a unique “client ID”
In the Client Portal, i notice any clients I used the same email address for, have a select box (at the top of the Client Portal, in the header), that allows them to select from different client account, that used the same email address.
Is there a setting were i can stop this from happening please?
As this is a security risk!
A user could enter the email address of a competitor, and then would have access to their accounts/Client Portal…
If there is no setting for this, i feel it needs adding ASAP (Invoice Ninja is clearly linking the emails and clients. Hopefully this is a setting i am not able to find)
My sites allow for sign-ups.
I only allow a unique email address, per customer.
However on the billing side of things, it is viable that the customer would use a different “billing email address”.
At present i am allowing them to enter any “billing email address”
1 i could force the customer to use their unique email address, but as said above, it is viable that they may have a different email they would like to use for billing.
OR
2. i could do a lookup via the API, to check that the email is not already in use, before i add the client, however, i feel this is a work around (and the lookup would take server resources)
It is also viable that i can have separate customers, but are part of the same company (or advertising management agency (we sell advertising)), so could viably have the same billing email address
I will have to try the API look up option (although there are viable situations where separate clients could want to use the same billing address)
Or it may be better for me to force the user to use their already unique email address.
clients would need access to the email address to access the client portal.
Not necessarily, not if i am using the returned date Invoice Link, and displaying this link to my user on the website (my user is logged in at this point, so i feel safe to display the link to them). The invoice notification is also emailed to them, but to make things as user friendly as possible, i also display the link to them (well a “pay now” button)
I kind of agree, it is not much of a security risk, although the way i am using your system, it is kind of a little bit (well more data protection, than a technical security risk).
It would be nice to have a setting of “do not link clients by email” for within the portal. This would work for me, and not need me to check on unique email addresses for clients
Thanks for all the help i get here, to my many questions…
Jon
I’m not sure it would be possible to unlink clients with the same email address. If you can access the email you can use the password recover feature to access the account.