View Issue Details

IDProjectCategoryView StatusLast Update
0006028OXID eShop (all versions)1.03. Basket, checkout processpublic2024-02-14 10:48
ReporterJaroslavHerber Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version4.9.2 / 5.2.2 
Summary0006028: Can't change email-address if there is a guest user with the same email-address
DescriptionRelated to 0006026.

Lets say there is a registered user "[email protected]" and a not registered guest user "[email protected]" in the oxuser-database-table.

And if the registered user wants to change his email-address to "[email protected]", the shop won't give an error nor save the new email-address.

The reason is, that the table-col "oxuser.oxusername" is unique. So there can't be two entries with the same email-address/oxusername.

See "Additional Information" for possible solution.
Steps To Reproduce1. Open new account with email [email protected] – it is a registered user;
2. Purchase product without registration and use email [email protected] for guest user;
3. In the DB are added entries for both users;
4. Login to shop with registered user [email protected];
5. Go to Account /Billing_and_shipping settings-> Click on the button "CHANGE";
6. In the email field try to change email address from [email protected] to [email protected] and then submit your changes;
7. In the billing address form is saved new address, but in the DB user field in the table "oxuser" is not updated.
Additional InformationPossible solution:
Delete guest user first before saving the registered user's data with the same email-address.

oxuser->checkIfEmailExists() - line 1758:

...
// password is not set - allow to override
$blExists = false;

// Add this line:
$oDb->execute('delete from oxuser where oxpassword = "" AND oxusername = ' . $oDb->quote($sEmail));
...
TagsNo tags attached.
ThemeAzure
BrowserAll
PHP VersionNot defined
Database VersionNot defined

Relationships

related to 0006218 acknowledgedflorian.auer Unregistered users are deleted 

Activities

martinwegele

2015-01-22 14:35

reporter   ~0010629

related to 0001441 0003091 0002701 0005741
it all boils down to the same conceptual question of keeping the data or not.

FibreFoX

2015-01-27 12:43

reporter   ~0010638

maybe also related to 0004924

jurate.baseviciene

2015-01-27 16:19

reporter   ~0010640

@FibreFox: It is not related with bug 0004924 because test case is very different.
0004924 the problem is that user cant change mail address in step 2 of the checkout process.
In this issue the case is that user can change email address in the form "Account /Billing_and_shipping settings", but email address is not updated in DB

FibreFoX

2015-01-27 16:42

reporter   ~0010642

But it goes down to the same data-model :) using mail-address as primary-key is the point, which makes this bug existing, enabling "from-inside-attacks" and openes the door for user-enumeration.

mantas.vaitkunas

2015-01-28 08:42

reporter   ~0010645

Hi, I would say that's 2 different issues. In 0004924 is a usability issue and in this one I see saving to DB issue.

DustinJeuck

2017-06-26 23:26

reporter   ~0012144

Hi,
I got the same problem, too.

Does any hotfix exist to this ticket?

Thanks,
Dustin

Sven Brunk

2024-01-17 11:08

administrator   ~0016133

Unfortunately the solution provided would not work right out of the box. We need to verify first that the user with the second mail address is actually the same user aka is fine with this. Else you would be able to delete guest users / newsletter subscribers just by pretending to change the email address to the one of the other user. If we do not ask prior to the actual change, the damage is done, even if the verification is not successful.