View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006028 | OXID eShop (all versions) | 1.03. Basket, checkout process | public | 2015-01-22 11:02 | 2024-02-14 10:48 |
| Reporter | JaroslavHerber | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | acknowledged | Resolution | open | ||
| Product Version | 4.9.2 / 5.2.2 | ||||
| Summary | 0006028: Can't change email-address if there is a guest user with the same email-address | ||||
| Description | Related to 0006026. Lets say there is a registered user "[email protected]" and a not registered guest user "[email protected]" in the oxuser-database-table. And if the registered user wants to change his email-address to "[email protected]", the shop won't give an error nor save the new email-address. The reason is, that the table-col "oxuser.oxusername" is unique. So there can't be two entries with the same email-address/oxusername. See "Additional Information" for possible solution. | ||||
| Steps To Reproduce | 1. Open new account with email [email protected] – it is a registered user; 2. Purchase product without registration and use email [email protected] for guest user; 3. In the DB are added entries for both users; 4. Login to shop with registered user [email protected]; 5. Go to Account /Billing_and_shipping settings-> Click on the button "CHANGE"; 6. In the email field try to change email address from [email protected] to [email protected] and then submit your changes; 7. In the billing address form is saved new address, but in the DB user field in the table "oxuser" is not updated. | ||||
| Additional Information | Possible solution: Delete guest user first before saving the registered user's data with the same email-address. oxuser->checkIfEmailExists() - line 1758: ... // password is not set - allow to override $blExists = false; // Add this line: $oDb->execute('delete from oxuser where oxpassword = "" AND oxusername = ' . $oDb->quote($sEmail)); ... | ||||
| Tags | No tags attached. | ||||
| Theme | Azure | ||||
| Browser | All | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
| related to | 0006218 | acknowledged | florian.auer | Unregistered users are deleted |
|
|
related to 0001441 0003091 0002701 0005741 it all boils down to the same conceptual question of keeping the data or not. |
|
|
maybe also related to 0004924 |
|
|
@FibreFox: It is not related with bug 0004924 because test case is very different. 0004924 the problem is that user cant change mail address in step 2 of the checkout process. In this issue the case is that user can change email address in the form "Account /Billing_and_shipping settings", but email address is not updated in DB |
|
|
But it goes down to the same data-model :) using mail-address as primary-key is the point, which makes this bug existing, enabling "from-inside-attacks" and openes the door for user-enumeration. |
|
|
Hi, I would say that's 2 different issues. In 0004924 is a usability issue and in this one I see saving to DB issue. |
|
|
Hi, I got the same problem, too. Does any hotfix exist to this ticket? Thanks, Dustin |
|
|
Unfortunately the solution provided would not work right out of the box. We need to verify first that the user with the second mail address is actually the same user aka is fine with this. Else you would be able to delete guest users / newsletter subscribers just by pretending to change the email address to the one of the other user. If we do not ask prior to the actual change, the damage is done, even if the verification is not successful. |
