[SOLVED] CB Subs - Direct URL access to protected member area

A non-profit client recently had an issue where a non-member accessed the VirtueMart area and purchased an item for sale only to members.  Access is blocked from this area by CB Subs plans and subscriptions.  Or so we thought.  After searching server access logs, I discovered this person came to the item innocently enough through a google published back door – the direct URL to the VM item, which then gave access to the cart and check-out.

Shouldn’t CB Subs prevent direct URL access to listed components?  Menu access to the VM area is restricted to registered, but as we’ve discovered, anyone can access this area.  We’ve been running CB Subs on this site for the last twelve years, and I don’t recall this ever being an issue.   What might I be missing or is this typical?

Thanks,
Ed

J 3.10.11Latest CB/CB Subs

How are you protecting access specifically? CBSubs By URL Part protection? Menu item? ACL (usergroup or view access level)?

Menu item protection only protects access to that specific menu item. Meaning Joomla has to tell us that menu item is being accessed. Don't use that for critical systems as Itemid isn't mandatory in URLs.

By URL Part protection only protects the specific URL parts that you provide. The direct URL to a VM item may not be matching the URLs you've configured and you'll need to add them.

The best protection is ACL. So for example set the access to your item to require a specific usergroup or view access level. Then use CBSubs usergroup parameter to give them the usergroup they need to access that item.

Apparently, I was using only menu protection.  I was not able to find a way to apply ACL to VM’s individual items or categories for front-end access restriction but was successful in blocking direct URL access from within each CB Subs Plan’s component and module integration.  Tests now redirect any direct URL attempts to the registration page. 

Is this a solid fix or might there be other issues caused by this remedy?

Thanks for the poke in the right direction, Kyle!

Ed

That should fix your issue then as By URL Part protection will completely take control over that URL and prevent access if it matches one of the URL Part rules supplied. Only issue I could see is if there's more than 1 completely different URL for accessing that page in which case you'd need to supply By URL Part rules for both URLs.

This is a pretty standard VM application, so I don't think there are any extraneous URLs to worry about.

Thanks again!

Ed