Activation key creation not protected

Comments

3 comments

  • Official comment
    Avatar
    Soraco Technologies

    Hi Moritz

    Sorry for the late reply. There is a restricted set of methods that can be invoked from a URL such as GetActivationKey.

    These methods are not intended to be called from the application. They are intended to be called from your server.

    You can protect these methods by adding the is_user/is_pwd arguments to the URL. The user/pwd specified as an argument to the URL much match the user/pwd configured in the Commerce Providers section (under the Manage Keys tab).

    It is recommended to set a user/pwd to all Commerce Providers, even the ones you are not using.

    If no is_vendor is specified as an argument to the URL method, a default commerce provider is selected as specified by the defaultVendor setting in the Web Service web.config file.

    For more details, check this article:
    https://soraco.zendesk.com/hc/en-us/articles/201702694-How-to-define-the-user-password-associated-to-an-eCommerce-provider

    Comment actions Permalink
  • Avatar
    Soraco Technologies

    In addition to the above, you can disable these functions as follows (must be using QLM 7.2 or greater):

    • in the QLM Management Console
    • go to Manage Keys
    • click Sites and select your site
    • click the Server Properties tab
    • expand the "security" category
    • uncheck all the methods you would like to disable.
    0
    Comment actions Permalink
  • Avatar
    Moritz Neikes

    Thanks for the update! We'll have a look at these options

    0
    Comment actions Permalink

Please sign in to leave a comment.