View Issue Details

IDProjectCategoryView StatusLast Update
0001273OXID eShop (all versions)1.05. Userspublic2009-09-04 14:59
Reporterandreas_ziethen Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionduplicate 
Product Version4.1.5 revision 21618 
Summary0001273: forgot password emails with wrong links - wrong database query in oxemail::sendForgotPwdEmail()
DescriptionIf you have several subshops configured so that each shop has its own customers and customers cannot login other subshops, then you get wrong links in password forgotten mails due to the following query:

$sSelect = "select oxid from oxuser where oxuser.oxactive = 1 and
oxuser.oxusername = '$sEmailAddress' and oxuser.oxpassword != ''
order by oxshopid = '".$oShop->getId()."' desc";

Instead of "order by oxshopid" we do need a " and oxshopid = '".$oShop->getId()."' " - at least if the above mentioned config is chosen (which is very often the case).
Otherwise you get a result of this query allthough user is not registered in actual shop.
TagsNo tags attached.
Theme
BrowserAll
PHP Version5.2.6
Database Version5.0.33

Relationships

duplicate of 0000839 resolvedsarunas_valaskevicius Method forgotPassword in forgotpwd.php send email, even if user is not a user of current shop 
related to 0001272 resolvedsarunas_valaskevicius Password forgotten link does not work because FireFox corrupts character in oxupdatepassinfoplainemail 

Activities

andreas_ziethen

2009-09-01 14:02

reporter   ~0001594

In addition: could you please seperate the logic of checking the user from sending the email? I think this should not be located in oxemail class - and should definetly be in a single function.
Thx! ;-)

dainius.bigelis

2009-09-03 15:23

reporter   ~0001629

Request to separate logic - is moved to customers whishlist. Will be considered later.