Prevent self purchasing

Can vendors be prevented from purchasing their own listings. Just had several attempts to use stolen cards by creating their own vendor account and trying to purchase their own service. Seems to be a security loophole or is there a fix I have overlooked?

1 Like

Hi,

​Please send more details about this question, and we will do our best to help you.

A new vendor account was created.
That vendor created a listing to sell digital services.
The same vendor was then able to order their own services.

So Vendor (x) created an account and listing then purchased those Vendor (x) services using stolen cards and approved both the buy and sell of those services since they were the buyer and seller.

This seems to be a security loophole. This person attempted to used 4 different credit cards that were not theirs to order, pay, and approve the buy/sell process. The first card was processed but when a second was done only a few minutes later and we took a closer look, the cards were different and we paused the account. The person tried to used two more cards using the same method.

Please try this PHP snippet

add_filter(
	'hivepress/v1/templates/listing_view_page/blocks',
	function( $blocks, $template ) {
		$listing = $template->get_context('listing');
		
		if(!$listing){
			return $blocks;
		}
		
		$vendor = $listing->get_vendor();
		
		if(!$vendor){
			return $blocks;
		}
		
		$user = $vendor->get_user();
		
		if(!$user || get_current_user_id() !== $user->get_id()){
			return $blocks;
		}
		
		hivepress()->template->fetch_block($blocks, 'listing_buy_form');
		
		return $blocks;
	},
	1000,
	2
);
2 Likes

Will this block the purchase at the ( “buy” before payment information is entered ) or ( “place order” after payment information has been entered )?

This code snippet will remove the purchase form entirely (from the listing page sidebar).

I’ve tried this snippet but to no effect. As a logged in vendor I can see and book my own listings.
This is very important to prevent fraud cases in our platforms.

The suggested snippet is for the purchase form (added by Marketplace), if you also use Bookings please use the same snippet but replace “listing_buy_form” with “booking_make_form”.

I also dropped an additional php snippet to hide the buy button from a vendor viewing their own offer. I am not promoting the use of this but in addition to the above snippet it achieved all my goals.

// Get the current user's ID.
$user_id = $_SESSION['user_id'];

// Get the ID of the offering that the user is trying to order.
$offering_id = $_GET['offering_id'];

// Get the vendor ID of the offering.
$vendor_id = get_offering_vendor_id($offering_id);

// Check if the user is the vendor of the offering.
if ($user_id == $vendor_id) {

  // Disable the "Buy Now" button.
  echo '<script>document.getElementById("buy_now_button").disabled = true;</script>';

}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.