Membership 2 Pro: "Pending" Membership and Automatic Membership

I've noticed that after a person clicks on a [ms-membership-buy id=XXXX] link, they have a "pending" membership to the XXXX membership that shows up on their account overview page.

Is this the expected behavior? If so, is it related to the particular shortcode I'm using, and is there a way around it? I don't want people to have a pending membership just by visiting it.

  • Kasia Swiderska

    Hello kalico,

    Pending usually means that payment is processed. What type of the membership is that? What payment gateway is used?
    Or maybe it is second membership they are trying to join?
    If you don't allow for user to have multiple membership and this one is free then yes, this is correct behavior. Second membership will not be pending when first one will not be active for member (second memberships waits for its turn).

    kind regards,
    Kasia

  • kalico

    Thanks Kasia Swiderska This is a free membership, so there is no reason for it to be "pending". We're not using a gateway.

    And yes, multiple memberships are possible. But the user is pending in two memberships at once.

    But the bigger problem is that these memberships require an invitation code -- which apparently is not being honored.

    The VERY strange thing is that the user has only VISITED the page (via the "buy" link). They did not proceed to actually register for the membership. Not only is the membership "pending" after just a visit, additionally, the user is being ADDED to the membership after some period of time (perhaps on a cron job?) WITHOUT putting in the invitation code.

    This is very undesirable. We must not allow memberships without the code.

    Perhaps I am doing something wrong. Is there another way I should set this up? Should I not use the "buy" shortcode? (I used it because I want just a link to that ONE membership, not to a list of memberships to choose from).

    Here is what I want:

    - Free memberships (all of them)
    - Requires invitation code (all of them)
    - NEVER allows the user to join the membership without putting in the invitation code
    - the user can "look" (at a description page) without joining
    - user can have multiple memberships (I have set the upgrade paths already, those seem to work fine so far)

  • Kasia Swiderska

    Hello kalico,

    I'm sorry for delay on our end. I tested first on your site and then I tested on my fresh environment with the same settings as on your site.
    And I was able to replicate the same issue - first I thought that this is problem with memberships page lacking [ms-membership-signup] shortcode as it is required to be used - but it was not it (my lab page has standard default pages for memberships list and registration page).
    You are right - each 6 hours there is task running that checks the status of the subscriptions - it can be forced and when I did that, each vistor that tried to join membership protected by invitation code was simple added to membership.
    Of course that should not work that way - their membership should not be active by any circumstances until the add invitation code.

    I'm marking this as bug and letting developer know right away.

    kind regards,
    Kasia

  • kalico

    Thank you so much, Kasia Swiderska That makes perfect sense and explains why it seemed to be intermittent, or sometimes would happen in 1 minute, other times would show up the next day.

    So I have two questions:

    1) Is there a way to turn off that task, or make it behave, while waiting for the official fix?
    2) You mentioned that [ms-membership-signup] is required....never mind the bug for a moment, should I be using that shortcode instead for any other reasons?

    Thank you again. I'm sorry for getting antsy -- we are so close to launch and this is the one thing standing in the way. You've been a huge help!

  • kalico

    Hi Kasia Swiderska - sorry, I'm getting impatient again. It's very unusual for the WPMUDEV team to be this slow in responding. I have my entire staff breathing down my neck about this website, and I have no answers to give anyone. I realize you can't provide a timeline for the bug fix, but can you at least tell me if I can turn off that task? run it manually? do *something* to fix this problem temporarily?

  • Kasia Swiderska

    Hello kalico,

    I'm sorry for delays on our end.

    1) Is there a way to turn off that task, or make it behave, while waiting for the official fix?

    This is cron task that runs every 6h to check status of subscriptions - this one check if subscriptions were paid or not and if they should stay active or not, it is responsible for sending emails. Because it depends on WP CRON disabling it should also disable this check... but it will also disable all there things that works on cron. Disabling CRON can be done by adding this line

    define('DISABLE_WP_CRON', 'true');

    to wp-config.php file. At the moment I don't know if there is any other way on how to disable it directly in Membership 2 Pro, so I will send message to developer if that is possible.

    2) You mentioned that [ms-membership-signup] is required....never mind the bug for a moment, should I be using that shortcode instead for any other reasons?

    Changing, renewing, canceling membership is done through membership list pages - and that shortcode is required there for all that to work properly.

    kind regards,
    Kasia

  • kalico

    Thanks, Kasia Swiderska I found a plugin called WP Crontrol that allows granular control over individual cron jobs. I think I can mange it with that. But ideally, there should be some sort of hotfix I can apply in M2Pro, because I'm guessing that stopping the task is only going to delay the problem temporarily.

    I really also need to check the list of pending items and make sure that there is no one who has a pending membership that should not get it.

    This is a major security issue for us, and a huge deal breaker for my company if we can't get this resolved quickly. I've already been asked if we should use a different program -- but we built our entire site around it for the past year, so ditching M2Pro would be a devastating blow. But seriously -- this is about as big as it gets for us, in terms of security. The whole purpose of our membership system is to protect secure resources, and if this is going to just let people in for clicking on something, then we have a HUGE problem. I hope this can get the attention of the developers most expediently.

    Thank you.

  • Kasia Swiderska

    Hello kalico,

    I've asked developer to check what can be done in Membership code to prevent checking those statuses, but apparently this will be not one place in plugin so he is now checking that.
    I realize that it big issue - task for developer is created so he will work on that. At the moment I can't promise anything but I will try to get additional person to take a look on that one also.

    kind regards,
    Kasia

  • kalico

    Hi Kasia Swiderska It's been almost a week, and no response from the developer. I'm desperately in need of some information here....I have two questions:

    1) Is there a way, in code, to disable this process of checking memberships? (a patch that I can apply myself until the next release)
    2) How can I manually review the membership status in the database against the existence of an invitation code (i.e., what table are they in?) and fix any problems?

    I cannot release this website to our members until this problem is solved because it's a major security leak. I know that bugs can take months to get fixed here, and that's just unacceptable -- and yet I'm at your mercy. Any word, any suggestions...would be greatly appreciated.

  • Nithin

    Hi kalico,

    Terribly sorry for the delay, a task has already been created for this bug, and developers are working on providing a fix. I'll have to ping the developer, and check whether we could have a hot fix regarding this issue, and will make sure to get a feedback regarding whether manual review in the database would work, basically the membership levels are stored in the usermeta table, but I'll have to make sure whether there are any other tables that we should be looking at.

    I do understand that this bug is causing hindrance in your workflow, I'll make sure to ask the developers to give a look at this. Please do note that developers work round the clock with many critical issues, and hence have a slow response time. Either myself, or the developer will keep you posted.

    Kind Regards,
    Nithin

  • kalico

    Nithin and Kasia Swiderska -- I've waited almost an entire month for some word from the developer about a hotfix. I am desperate for a fix here....we are ready to launch, but we absolutely cannot have users being added to memberships just because they clicked on a link! They must be required to use an invitation code.

    Disabling cron is not an effective solution because it disables cron everywhere, and messes up other programs (like automatically expiring events in Events+)

    Using a cron manager doesn't help because the plugin itself seems to reinstate the cron job every time I mark it to not run.

    Please, please, please....help me with some solution so that our users are not being given access to sensitive resources.

  • kalico

    Ok, I have posted that file, and started the test:

    1) I signed in as a user with no access to a membership
    2) clicked on the "join" link, and viewed the signup page (with the invitation code field on it)
    3)I did not provide an invitation code.

    Now that user has "pending" status in that membership.

    I now have to wait a few hours to see if the membership gets automatically switched on. Kasia mentioned that it runs every 6 hours, so I will have to check back later tonight.

    Thanks for the help. I'll update as soon as I know more!

  • kalico

    Thank you Kasia Swiderska that's super helpful to know. I've checked it, and all is well!!

    Panos - I am VERY GRATEFUL for your help. We can now move forward and await the official fix.

    BTW - I had no idea where the "status" button was (referenced in Panos' post) but finally found the "History and Logs" button, so I was able to find the pending/refresh pictured in the screenshot. Maybe that "status" button Kasia described needs a label

    Thanks everyone for your help!