Givewp: epic: improve UX of donor emails

Created on 28 Jan 2019  路  7Comments  路  Source: impress-org/givewp

Epic

User Story

As a donor, I want the links within Give emails to work with as few hurdles as possible while still securing my information so that I am not frustrated when attempting to access my information.

We should work to strike a better balance between security and convenience. As an example, if I donate on my desktop and immediately open the receipt email on my phone, I should not have to verify email access when I just clicked a link _from my email inbox_.

The issues within this epic each address specific behaviors that need improvement, but they are all related to a common need to better meet user expectations when interacting with Give emails.

Epic

Most helpful comment

Slack Call Summary

Participants: @ravinderk @mehul0810 @kevinwhoffman
Topic: Email link behavior in Give donor emails
Result: We reviewed Shopify's approach to receipt emails and found that Mehul had already started down a similar path which uses a hashed key to verify that a link was clicked from the donor's email. We also laid out some best practices and concerns that we want to keep in mind throughout this epic:

Give Email Access Best Practices

  1. When clicking a link from an email, a donor should never have to complete an email access form (because they just came from their inbox). Through the use of a unique key, we should be able to tell if they clicked the link from an email and avoid unnecessary back-and-forth currently required to validate emails.
  2. The unique key used to validate the user in the email link's query string should be removed from the address bar in the browser (as shown in the Shopify example).
  3. Viewing or downloading an individual receipt for a specific donation should _not_ grant the donor access to their entire donation history. To get full access to their donation history, they should still complete the current email access validation process. This ensures that a single misplaced receipt link does not allow access to the donor's entire history.
  4. A donor receipt URL should never be guessable or publicly accessible without validation.

All 7 comments

Slack Call Summary

Participants: @ravinderk @mehul0810 @kevinwhoffman
Topic: Email link behavior in Give donor emails
Result: We reviewed Shopify's approach to receipt emails and found that Mehul had already started down a similar path which uses a hashed key to verify that a link was clicked from the donor's email. We also laid out some best practices and concerns that we want to keep in mind throughout this epic:

Give Email Access Best Practices

  1. When clicking a link from an email, a donor should never have to complete an email access form (because they just came from their inbox). Through the use of a unique key, we should be able to tell if they clicked the link from an email and avoid unnecessary back-and-forth currently required to validate emails.
  2. The unique key used to validate the user in the email link's query string should be removed from the address bar in the browser (as shown in the Shopify example).
  3. Viewing or downloading an individual receipt for a specific donation should _not_ grant the donor access to their entire donation history. To get full access to their donation history, they should still complete the current email access validation process. This ensures that a single misplaced receipt link does not allow access to the donor's entire history.
  4. A donor receipt URL should never be guessable or publicly accessible without validation.

Slack Call Summary

Participants: @mehul0810 @ravinderk
Topic: Discussion about the point (2), its complexity, and its need
Result: I and Ravinder think that redirecting the URL containing query string to a pretty link will add complexity and if in case the URL is obtained by an anonymous user then only that particular donation receipt details are leaked, not the complete history.

Also, if the donation receipt is for recurring donation then a link "Manage Subscription" is displayed below the donation receipt and clicking on which will take a user to email access form.

@kevinwhoffman Can we do a quick call tomorrow so that we can discuss the point (2) necessity and I can demo you the complete functionality related to email access and donation receipt view link and download link in an email.

AS per the call, I and @kevinwhoffman agreed that we don't need to address point (2)

we don't need to address point (2)

Yes, @mehul0810 explained that introducing a redirect for the sake of removing the query string would add complexity to the solution with no real benefit. The unique key in the query string only provides access to that single receipt, so we agreed it's okay to leave it in the URL.

@kevinwhoffman Closing this issue in favor of https://github.com/impress-org/give/pull/3973

Let us know if you still able to reproduce this

Tested

I have tested the following issues and confirm they working according to the best practices above:

  • [x] Core - #3956 fix: prevent errors/login screens trying to access donations via email access
  • [x] Core - #3963 fix: do not require refresh after verifying email
  • [x] Core - #3964 fix: improve UX of "View in Browser" link
  • [x] PDF Receipts - https://github.com/impress-org/give-pdf-receipts/issues/197 fix: allow user to download PDF directly from email link

Needs Fix

Tested but with problems reported in issue:

Untested:

I will test the new email template tag once #806 is resolved above.

Closing, all issues in Epic have been merged.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

DevinWalker picture DevinWalker  路  3Comments

ravinderk picture ravinderk  路  4Comments

ravinderk picture ravinderk  路  3Comments

DevinWalker picture DevinWalker  路  4Comments

henryholtgeerts picture henryholtgeerts  路  3Comments