since the order page is only really needed to confirm a successful order, I could imagine it would be possible to only display its contents for logged in users after a certain timeout period, or only render it once upon a successful order?
Another idea would be to simply not have the order page contain any valuable information, for example blackout name/address and only display something relevant like the status of the order (‘confirmed’, ‘shipped’)…
A confirmation email with full order details should be sent anyways, I believe. One could generate some random hash for every completed order, and have the confirmation mail include a link to the order page with the parameter attached, without which the page won’t display…?
ex. https://yoursite.com/orders/ucvrarofkwltkjhv?5581672209
-> page renders normally
ex. https://yoursite.com/orders/ucvrarofkwltkjhv
-> redirects to homepage
maybe a combination does the trick: display the order page once after a completed order, afterwards only to logged in users, except if the hash string matches.
if you want to go even further, i guess using a secure enough string, one could provide the option to change order details, i.e if a customer made a typo in their address or something, without needing to log in – but I’m faar from a security expert so I will not be taking any chances with this!
edit:
thanks for bringing this point up. i’ve implemented this in a very basic way and seems to be working:
// config.php
<?php
return [
'hooks' => [
'ww.merx.completePayment:after' => function ($orderPage) {
$hash = bin2hex(random_bytes(16));
$urlWithHash = url($orderPage->url(), ['params' => ['q' => $hash]]);
$orderPage->update([
'hash' => $hash,
]);
sendConfirmationMail($orderPage, $urlWithHash);
go($urlWithHash);
},
],
[
'email' => $your_email_settings,
]
function sendConfirmationMail($orderPage, $urlWithHash) {
kirby()->email([
'from' => 'test@your.site',
'to' => (string)$orderPage->email(),
'subject' => 'Thanks for your order!',
'body'=> 'Dear ' . $orderPage->name() . ', you paid ' . formatPrice($orderPage->cart()->getSum()) . '. Order summary: ' . $urlWithHash,
]);
// templates/order.php
<?php
if (!kirby()->user()) {
$hashparam = param('q');
if ($hashparam !== $page->hash()->toString()) {
sleep(1); // increased safety measure idk if it's necessary
go('/');
};
}
?>
<!-- order page -->
edit2: updated the snippets above to properly redirect the customer to the order page after their purchase