I submitted an invoice to a customer, they could directly navigate to the invoice and then see previous invoices too - they were not logged in.
Does the link to the invoice automatically log them in, or is this a security issue/bug?
Can I turn this feature off? It doesn’t seem very secure for them to have full access to their history, instead of just the invoice sent (unless they explicitly log in).
This is by design. The link sent in the email has the user credentials encrypted within so the user is automatically logged in.
You can disable this feature by selecting the enforce client login option in the client management area.
The client area uses a looser security model. When you’re sending invoices you typically want to minimise barriers that give clients excuses not to pay or defer. As @Lurch points out, you can enforce manual login if you prefer.
The client area security is based on the premise that only the client will have access to their inbox. Even if it were password protected, anybody with access to the client’s inbox could reset the password and access the account without too much trouble.
I have no problem over this with the primary contact but we do have cases where we suspect that the client may be unhappy about a secondary contact seeing more than the invoice that they have been copied on. (I have been very careful NOT to ask about this)
Not something that we have had feedback on but worth keeping in mind if security in this area is readdressed.
You can disable the auto login so no problems there is this is an issue.
I think really if your client doesn’t want people seeing more than the invoice they have been copied in on then your client probably has bigger security issues than them seeing previous invoices.
This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.
