Hi @asmecher
we may have gotten closer to the cause of the problem - I just received an update:
When any user that is not logged in tries to access PDFs, their user Id is sent as 0. Due to the nature of the original code, it gets ignored. Please see this link for more info: if statement - ! ( NULL || 0 || '' ) if condition in PHP at the same time - Stack Overflow
Is this sufficient info to move forward?
Thank you!
Hi @asmecher
Were the screenshots and info enough? This is a pretty big content security risk. It went unnoticed for awhile because it kept increasing slowly as individual articles were purchased, but would presumably affect others that have single articles to purchase just the same.
Hi @Facultas,
I’m just back from vacation and will be looking at it this week.
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @Facultas/all,
There appears to be a bug related to the purchase of entire issues – see User issue payment unlocks issue globally for users who aren't logged in · Issue #6548 · pkp/pkp-lib · GitHub for details and a patch. (Note that single article purchases are not affected). The fix will be included in OJS 3.2.1-3 (and newer).
Regards,
Alec Smecher
Public Knowledge Project Team