Type in your suggestion - new feature or improvement idea

Ability to customize security aspects of {Registration_buttons} macro (warning message, auto-login behavior) in event announcements emails

Current behavior:
When an event announcement email includes the {Registration_buttons} macro
- buttons has the ability to auto login recipients
- security warning advising against forwarding the email will automatically appear in red at the top

There are some issues with this solution:
- "scary" security warning may reduce attendee engagement
- risks of having autologin link in email might not be clear enough
- there is no customization available (i.e there is no way to switch off autologin functionality and remove message)

Desired behavior:
We need to find proper balance between usability and security here

7 votes
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)

We’ll send you updates on this idea

AdminTeam Events (Event Management, Wild Apricot by Personify) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Steven Jones commented  ·   ·  Flag as inappropriate

    At present any announcement email for a simple event using the {Registration_buttons} macro will automatically have a warning message appended to the footer of the email (i.e. …Please, don't forward this email to anyone).
    We would like to be able to change wording and/or styling of the appended message.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Currently, all event announcement emails are sent out with an auto-login feature to enable club members to register for an event without the need to manually log in to their WA site. This is a serious security flaw. If an adversary gets their hands on a user’s mailbox (this happens frequently) then they can log in to WA and impersonate the user. If this user is an administrator of the given WA site then the attacker can literally destroy all data, modify them or steal identity information not only of a single user but ALL members and contacts. The adversary may also steal PayPal tokens and POS information. The current time constraint on such links is insufficient because reminder emails also contain auto-login links and they are sent out in intervals that give an attacker a large window for compromise.

    Auto-login should be optional. Organisations that want to use this feature need to be made aware of the risks.

    In particular, I would like to request to make auto-login links in emails to users with administrator privileges optional because of the greater impact of a compromise of such an account and because these users typically log in regularly anyway and have accepted the need for authentication for all their other actions on WA.

  • klm commented  ·   ·  Flag as inappropriate

    We have a good number of events where registration is not required, and the general public is invited. We like a general head count to gauge interest, so we love the {Registration_buttons} feature.
    Yet, this "scary" warning reduces the chances someone will invite friends to the event. We've received concerned emails from our members who want to share events, but are warned not to.

    Is there a way to include an option to permit forwarding an email to others that doesn't include the automatic login to an account?

  • kbroders commented  ·   ·  Flag as inappropriate

    I think my comment didn't post so I'm going to type it in again. Sorry if I am repeating myself...

    I only need ability to switch warning off/on. I can then put my own message in, wherever I want and in my desired color, font, and size. I do not want a big red warning to be the first thing my recipients see. My choice would probably be black, italicized, and small. I would also have a friendlier message -- with a "please"!

    As far as auto-logging in part of the warning, I would hope that a forwarded message would bring up the event but not actually permit registration (payment) or viewing profile information without a password. (E.g., Amazon.com lets you browse to your heart's content but it always asks for a password to check out.)

Feedback and Knowledge Base