I have installed the latest update of Bricks from version 1.3.1 to 1.3.2.
When the process is completed, I can see the details and within the details I can see the URL the package came from and there is my license number (as a string parameter of the URL).
Anyone who has access to the admin area of the site and applies the theme update could see this information.
If possible, I kindly request to review this solution by adopting a different mechanism (in whatever area is needed) to check if the installed product has an associated license key.
I currently can’t think of another possible solution. What you can do, if you feel like any other user who has admin access to your site would misuse the license key, is to use the white/blacklist feature in your Bricks account. Would that help?
This way, the string gets truncated and the license key is not visible at first glance… but yeah, still showing in the html for a second. Show me the guy who‘s taking screenshots of that
I see that when we are updating the theme the bricks will check the license before sending update file. But what if each license is hashed and serve the file using that hash? Like WordPress Password and temporary key to send the file. Thank you
Thank you so much for the suggestion. In WordPress itself working with the hash is easy, as you only compare the hash against the hash stored in the local installation itself. With Bricks the hash must be compared with the data on the remote Bricks server.
@lanzoni.nicola Definitely good that we now know about this. As we’ve got a solution/protection via the account black&whitelist, we will keep it in mind, and see how and when we can implement a better update process without revealing the license key.
