Gift/Redemption Codes: Any Protection From Misuse?!

Hello! I´m using S2 Member Pro and I´m really enjoying it so far. I was trying to configure a gift-page lately and got very confused.

1. As shown in tutorial I have a protected page with a shotcode [s2Member-Gift-Codes discount=“15.00” quantity=“1” /] and a page, where anyone can buy access to it for $15. So anyone can pay me $15, get a code and use it as a gift. So I thought about adding a gift-certificate to this page. The user could download it, and fill up with this code and send it to a friend.

2. I made a test. So I had a user, who bought an access for §15. Immediately after the purchase this user came to the protected page to see this code: GC0K2Z… and so on…

This same user got an email with a link to the protected page. Following the link he came on the protected page to see the code: GC0K3FS… Well, a different one!

Now this same user makes a mistake (or makes it with a purpose). He does not send the gift-certificate with the first code to his friend, he is just sending him the link!!!

His friend comes to my website, he is a new user, he gets $15-code, now the third one!

I tried to put all 3 codes while making a check-out. All of them work…

3 times $15 gift for one purchase? What am I doing wrong?!

P.S. I started the test because I thought: What if someone would buy the access to the page several times? I mean, if he wants to have 2 or 3 gifts… Well, it worked fine, a new purchase – a new code for the same user. But the problem with the link remains…

Here is the older topic with the same problem

Hi Julia.

Are you following this tutorial?

What restriction are you using to protect the page where the gift codes are generated? Are you using the Specific Page Access restriction? That one doesn’t require the person to be logged in, the special link he gets has the credentials to view the page. So if he shares that link, it’s like sharing his login credentials.

I think he’d be less likely to share his login credentials than a link. You could have the person create an account when he’s checking out and use a level or ccap to protect the page with the gift codes.

Could you send me a message with a link to the page with the gift codes, and a link to the page to pay for access to it and a code to test it? I’ll try to reproduce what you’re saying to understand it better.

Thanks!

Thank you for your answer.

Yes, it is the tutorial I´ve used to configure both pages. I used Specific Page Access restriction for the page, that generates a gift code.

So if he shares that link, it’s like sharing his login credentials.

Now I understand better how it works, so it explains completely the situation I got. Thank you!

I´am actually surprised, that it´s working this way because it really gives an opportunity to abuse the access. And I totally agree that any user would be less likely to share his login but can think that it ´s ok to share the link! It could possibly help to add some “rules” to the mail the user gets after paying “specific page access” but I couldn´t find any way to change this mail. Is it possible to set up this email without changing the plugin code?

You could have the person create an account when he’s checking out and use a level or ccap to protect the page with the gift codes.

Well, I though about it! But I´m still wondering, what will happen, if this same user wants to buy a second gift certification. Or a third one.

I mean, it´s unlikely that someone wants to buy 5 or 10 certificates at once. So I really just need a page, that generates 1 code like in my exemple. I would protect this page with ccap. What would happen, wenn this same user (now logged in) wants to purchase the same ccap one more time and does so? Would he gets a new code? I guess It will still be the same code… So I would need to make new pages like “your gift certificate 2”, “your gift certificate 3”…

Could you send me a message with a link to the page with the gift codes, and a link to the page to pay for access to it and a code to test it? I’ll try to reproduce what you’re saying to understand it better.

I could make new pages for your test but for me that

Are you using the Specific Page Access restriction? That one doesn’t require the person to be logged in, the special link he gets has the credentials to view the page. So if he shares that link, it’s like sharing his login credentials.

already explain everything. So the Specific Page Access restriction works exactly how you have described it. I just do not trust my users as much ))

I’m glad I could clarify how it works.

I couldn´t find any way to change this mail. Is it possible to set up this email

Sure, you’ll find the setting here: WP Admin > s2Member > PayPal Options > Specific Page/Post Confirmation Email (or Stripe Options if you’re using that gateway)

I´m still wondering, what will happen, if this same user wants to buy a second gift certification. Or a third one.

Ah, I see what you mean… If he goes back to that page where the gift certs generator is, it’ll show the original created for him and its used status.

As long as the shortcode, the page ID, and the user are the same, the generated code will be the same, but if you change one of those three, new codes are generated.

So if you change the generator to create more codes now, even the first one will change…

I can see how this can be improved. I’m making a note for as a feature request for future improvement.

In the meantime, yeah, if you want to sell several coupon codes to the same user, you would either have separate pages (or use conditionals on the same page) and sell separate ccaps for each, or you can use the Specific Post/Page Restriction.

If I had to do this for myself in your situation, I’d probably go with the Specific Post/Page Restriction, set the time to only 1 hour (use the exp attribute in the pro-form shortcode). That would be enough for him to go get the code right away, but maybe he won’t be quick enough to think about abusing the system. WP Admin > s2Member > PayPal Pro-forms > Shortcode Attributes Explained > exp

You can also make the Unique IP restriction a bit tighter. WP Admin > s2Member > Restriction Options > Unique IP

Does that help?