for v1.5.3, look into:
Current logic is also poor design by the way, since links to approve are like
1 is the quote’s ID. Which means anyone can run a malicious cronjob and approve all your quotes from ID 1 to ID 9999999…
Having a key in the url to access the quote, but no key to approve/reject it, is non-sense.
Interestingly enough, there also is a function called
approve_quote_by_key() instead of
approve_quote_by_id() which makes me wonder why it’s been designed the worst way. Maybe because further in the code, there’s a function called
email_quote_status() which requires the quotes ID as a parameter…