Create Captcha form for ILL and Woodruff non-Emory patron fine payments
Closed this issue · 14 comments
Is your feature request related to new functionality not yet included in the product? Please describe.
Not new functionality, just need a form with Captcha (or other method) to guard against bots submissions through Payeezy forms.
Currently, these two payment pages on the site were unpublished due to the bot submissions.
https://prod.libraries.emory.edu/woodruff/woodruff-library-user-payments
Is your feature request related to a problem or a change to existing functionality? Please describe.
A problem. The Payeezy form, although it has a reCAPTCHA option, was not protecting against submissions.
Describe the solution you'd like
A Drupal form with patron information (needed to match the user with the simple Payeezy form) and Captcha. Once submitted the patron would be taken to the Payeezy form, or a "thank you" page with the Payeezy link button.
Describe alternatives you've considered
reCAPTCHA didn't work, so this is the next step, unless the restrictions can be tweaked. The other option is non-Emory patrons physically coming to the building to make their payments.
How will this impact users?
Non-Emory patrons will be able to make payments online, staff won't need to take money or checks at the desk.
Additional context
Add any other context or screenshots about the feature request here.
we can see if this can work for pages, I think what we have currently works specifically for webforms but I'm not sure.
We'll look at reworking these pages into drupal webforms with our standard anti-bot protections, and adding the payeezee button to the message you get after successfully submitting the form.
Questions for stakeholders:
- Are the payeezee buttons different?
- What patron information would ILL like to collect?
https://dev.libraries.emory.edu/admin/structure/webform/manage/main_ask_a_librarian_form/settings/confirmation < wysiwyg to add html button link to payeezy.
also @cwbragg can you check on the required field Patron ID on the woodruff form? can they specify if that is always a certain quantity or range of digits? my employee ID is 7 digits but i'm not sure if that's what theyr;re asking for or if that length holds true for all logins. thanks!
Woodruff
WSP-EMORY-fjSb0gDk6g
ILL
WSP-EMORY-GQ7e2gDmaA
Based on comparing the endpoints, it looks like there are consistently these identifiers that are different between the 2 payment buttons on the forms. There is an "&order=" added to the url as well, so we need to see what code that entails from the payeezy side. There is also an option in the webform confirmations that allows it to go directly to a url so i was thinking we could use that instead of making the button on the confirmation message.
What i have so far is on the branch 36-payment-forms but I need the above info before I can proceed further.
WIll have to make the change to the page directly on prod, swapping out the embedded libwizard forms for a drupal blocks that contain the new webforms.
The payeezee buttons are different.
What patron information would ILL like to collect? Update: ILL is meeting to discuss this week (11/13/23).
I've asked Jenny, Kathy Britt (who is now part of the conversation), and Lyndon Batiste about the patron ID number length. I'll keep you posted here!
Update from Jenny Vitti regarding where scammers are getting in:
It was our actual ILL Payeezy account (and I believe the actual LSD Payeezy account) that were being used to charge random people. The finance department really didn’t seem to know what was going on when Kathy contacted them, either. We found out about the attack when received the email confirmations to our account email address (mainlend@emory.edu), and we could see (and reverse) the transactions when logged in to our ILL Payeezy account. The attackers seemed to be using the button on the Drupal page to initiate the charges, because when I unpublished that page (for ILL), the charged stopped immediately.
It is a Payeezy problem, but seems to be specifically tied to the Payeezy button (on our pages) – that is, the scammers had to go through that entry point to access our account; they didn’t have a way to access the account directly without the button.
@cwbragg did the ILL dept ever get back to you with what info they want the form to collect?
and is it possible for me to get into the payeezy account?
got this info from Kathy in ILL dept:
I just got out of our ILL team meeting and have some updates on what we need on our Drupal forms for Payeezy.
Borrowing form
We’d like the following fields
i. “Name”
ii. “NetID or EmplID”
iii. “ILLiad TN or Title”
Please have MAINILL@emory.edu the recipient of the email from the form
Lending form
We’d like the following fields
i. “Institution Name or Symbol”
ii. “Invoice or ILL request #”
iii. “Amount”
Please have MAINLEND@emory.edu the recipient of the email from the form
All fields should be “freeform” allowing the patron or borrowing library to enter the info without restriction
Also, Jenny said that she got the HTML code for the Payeezy button directly from Payment Services. We need to use our existing button for Payeezy, and NOT copy the button from the Library Service Desk form…we have separate Payeezy accounts.
waiting to hear back from Chuck in Payment Services about Payeezy codes. Moving this back into blocked until we do.
I am looking at either having the submit button redirect to the payeezy site or having the confirmation screen show the link to it. I believe one or both of these will work.
We've heard that Payeezy may be going away, but I also figured out a fairly simple workaround to use exactly what's in place but put it behind a very basic webform.
rough example on dev and if it works for the original requestors, i’m happy to take the steps to clean it up and get it on prod.
start here: https://dev.libraries.emory.edu/clare-form-test-pre-page
and then when you submit that page, it directs you to basically the existing page with the pay link. idk why i didn’t think of that before.
if they don't want that, then i propose we close this ticket and start fresh whenever the payeezy stuff is resolved.
@cwbragg
With Payeezy no longer available, let's close this ticket. We can create a new one if needed at some point in the future.