FSGW Wiki

User Tools

Site Tools

You are here: FSGW Wiki Home page » Event Registration Configuration
eventconfig

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
eventconfig [2025/07/12 18:07] wikiadmineventconfig [2025/07/12 19:48] (current) wikiadmin
Line 17: Line 17:
     - Wild Apricot's documentation reads as if you must be logged in as a member to use a Member-restricted Ticket Type.     - Wild Apricot's documentation reads as if you must be logged in as a member to use a Member-restricted Ticket Type.
       * Their [[https://gethelp.wildapricot.com/en/articles/103-advanced-events-ticket-types-settings-tab|Advanced events — Ticket types & settings tab]] help page says: //Depending on whether they are logged on or not, some member-only ticket types may not be available. If they are not logged in, but their email is stored in your contact database, they will be prompted to log in.//       * Their [[https://gethelp.wildapricot.com/en/articles/103-advanced-events-ticket-types-settings-tab|Advanced events — Ticket types & settings tab]] help page says: //Depending on whether they are logged on or not, some member-only ticket types may not be available. If they are not logged in, but their email is stored in your contact database, they will be prompted to log in.//
-      * When you start a registration not logged in but using a contact email address, it displays this message in a box with a "Login" button: "//Your email is already in our database. You can log in to auto-fill your contact information – and enable any member-only ticket types – or proceed with the registration without logging in.//" This also supports that you must be logged in to use a Member-restricted Ticket Type, however if the email address is for a member, then any member-restricted ticket type is select-able, which contradicts that if the user notices the Ticket Type being select-able. +      * When you start a registration not logged in but using a contact email address, it displays this message in a box with a "Login" button: "//Your email is already in our database. You can log in to auto-fill your contact information – and enable any member-only ticket types – or proceed with the registration without logging in.//" This also suggests that you must be logged in to use a Member-restricted Ticket Type. However, if the email address is for a member, then any member-restricted ticket type is already select-able without you being logged in, which contradicts that if you notice the Ticket Type is select-able. 
-      * When you start a registration not logged in and using a non-contact email address, it displays this message in a box with an "Apply for membership" button:"//Note: some ticket types are only available for members.//"+      * When you start a registration not logged in and using a non-contact email address, it displays this message in a box with an "Apply for membership" button: "//Note: some ticket types are only available for members.//"
     - So the reality is that to use a Member-restricted Ticket Type you only need to enter a current member's email address when you start the registration, then at the next step Wild Apricot will let you choose a Member-restricted Ticket Type even though you have not logged in.     - So the reality is that to use a Member-restricted Ticket Type you only need to enter a current member's email address when you start the registration, then at the next step Wild Apricot will let you choose a Member-restricted Ticket Type even though you have not logged in.
     - Note that a contact must be logged in to have it automatically fill in their contact information for the registration, or to use their stored credit card to pay.     - Note that a contact must be logged in to have it automatically fill in their contact information for the registration, or to use their stored credit card to pay.
     - But when not logged in, they can register with a Member-restricted Ticket Type by filling in the registration information by hand, and can pay for it if they supply a credit card. The resulting registration and payment will be recorded as if made by the member whose email address was used, despite no login.     - But when not logged in, they can register with a Member-restricted Ticket Type by filling in the registration information by hand, and can pay for it if they supply a credit card. The resulting registration and payment will be recorded as if made by the member whose email address was used, despite no login.
     - However, the registration email address will be the members email address, which is what allowed the use of a Member-restricted Ticket Type in the first place. Thus, the member will receive all the email(s) about the registration(s), making it clear that it happened.     - However, the registration email address will be the members email address, which is what allowed the use of a Member-restricted Ticket Type in the first place. Thus, the member will receive all the email(s) about the registration(s), making it clear that it happened.
-    - This behavior causes several security vulnerabilities in Wild Apricot. +    - This behavior causes several security vulnerabilities in Wild Apricot. Note that ALL Wild Apricot-based websites have these 2 security vulnerabilities. Since Wild Apricot is widely used, it's less unlikely than you might first guess that someone expend the effect to exploit these vulnerabilities, 
-      * First, you can use this behavior to discover whether an email address is a contact, or if it is a member. +      * First, someone could use this behavior to discover if an email address is a contact, or if it is a member. 
-      * Second, someone who knows a contacts email address can create registrations as if them, despite not knowing the contacts password, and there is no record of who actually did it. Registrations created while not logged in can use any name, since Wild Apricot does not require that the registration name or the the payer name be the same as the members contact name. Likewise for the address. +      * Second, someone who knows a contacts email address can create registrations as if them, despite not knowing the contacts password, and there is no record of who actually did it. Registrations created while not logged in can easily use any name, since Wild Apricot does not require that the registration name or the the payer name be the same as the members contact name. Likewise for the address. 
-      * The name or address entered for a registration does not replace existing contact information, only exists in that registration.+      * Thankfully, the name or address entered for a registration does not replace existing contact information, only exists in that registration.
 ====How FSGW handles member ticket types==== ====How FSGW handles member ticket types====
   - When FSGW started using Wild Apricot in 2018, they chose to use the "Honor System" for member Ticket Types, where they were not made member-restricted. The 2 main reasons for this, to Will's recollection, were:   - When FSGW started using Wild Apricot in 2018, they chose to use the "Honor System" for member Ticket Types, where they were not made member-restricted. The 2 main reasons for this, to Will's recollection, were:
Line 36: Line 36:
     - Will does not recall any user support issues when this change happened, indeed he did not notice that it had happened until July 4.     - Will does not recall any user support issues when this change happened, indeed he did not notice that it had happened until July 4.
     - It's puzzling to Will that a significant change like this was made without any announcement inside or outside FSGW.     - It's puzzling to Will that a significant change like this was made without any announcement inside or outside FSGW.
-  - What would the impact be on weekly ECD registration if Wild Apricot now made their online registration work as it is documented, by requiring a login to use a Member-restricted Ticket Type?+  - What would the impact be on weekly ECD registration if Wild Apricot now made their online registration work as it is documented, by requiring a login to use a Member-restricted Ticket Type? Ditto for other events now using member-restricted Ticket Types, like Contrastock 13.
     - It is common for FSGW members to register without logging in, by using their member email address, even though they could login.     - It is common for FSGW members to register without logging in, by using their member email address, even though they could login.
       - Wild Apricot's poorly designed registration User Interface encourages this behavior. This part of their registration UI has been like this at least since 2018. Based on that, it seems unlikely to improve any time soon.       - Wild Apricot's poorly designed registration User Interface encourages this behavior. This part of their registration UI has been like this at least since 2018. Based on that, it seems unlikely to improve any time soon.
eventconfig.1752368874.txt.gz · Last modified: by wikiadmin