View Issue Details

IDProjectCategoryView StatusLast Update
0006028OXID eShop (all versions)1.03. Basket, checkout processpublic2017-06-26 23:26
ReporterJaroslavHerber 
PriorityhighSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version4.9.2 / 5.2.2 
Target VersionFixed in Version 
Summary0006028: Can't change email-address if there is a guest user with the same email-address
DescriptionRelated to 0006026.

Lets say there is a registered user "[email protected]" and a not registered guest user "[email protected]" in the oxuser-database-table.

And if the registered user wants to change his email-address to "[email protected]", the shop won't give an error nor save the new email-address.

The reason is, that the table-col "oxuser.oxusername" is unique. So there can't be two entries with the same email-address/oxusername.

See "Additional Information" for possible solution.
Steps To Reproduce1. Open new account with email [email protected] – it is a registered user;
2. Purchase product without registration and use email [email protected] for guest user;
3. In the DB are added entries for both users;
4. Login to shop with registered user [email protected];
5. Go to Account /Billing_and_shipping settings-> Click on the button "CHANGE";
6. In the email field try to change email address from [email protected] to [email protected] and then submit your changes;
7. In the billing address form is saved new address, but in the DB user field in the table "oxuser" is not updated.
Additional InformationPossible solution:
Delete guest user first before saving the registered user's data with the same email-address.

oxuser->checkIfEmailExists() - line 1758:

...
// password is not set - allow to override
$blExists = false;

// Add this line:
$oDb->execute('delete from oxuser where oxpassword = "" AND oxusername = ' . $oDb->quote($sEmail));
...
TagsNo tags attached.
ThemeAzure
BrowserAll
PHP VersionNot defined
MySQL VersionNot defined

Activities

martinwegele

2015-01-22 14:35

reporter   ~0010629

related to 0001441 0003091 0002701 0005741
it all boils down to the same conceptual question of keeping the data or not.

FibreFoX

2015-01-27 12:43

reporter   ~0010638

maybe also related to 0004924

jurate.baseviciene

2015-01-27 16:19

reporter   ~0010640

@FibreFox: It is not related with bug 0004924 because test case is very different.
0004924 the problem is that user cant change mail address in step 2 of the checkout process.
In this issue the case is that user can change email address in the form "Account /Billing_and_shipping settings", but email address is not updated in DB

FibreFoX

2015-01-27 16:42

reporter   ~0010642

But it goes down to the same data-model :) using mail-address as primary-key is the point, which makes this bug existing, enabling "from-inside-attacks" and openes the door for user-enumeration.

mantas.vaitkunas

2015-01-28 08:42

administrator   ~0010645

Hi, I would say that's 2 different issues. In 0004924 is a usability issue and in this one I see saving to DB issue.

DustinJeuck

2017-06-26 23:26

reporter   ~0012144

Hi,
I got the same problem, too.

Does any hotfix exist to this ticket?

Thanks,
Dustin