View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006028 | OXID eShop (all versions) | 1.03. Basket, checkout process | public | 2015-01-22 11:02 | 2017-06-26 23:26 |
Reporter | JaroslavHerber | ||||
Priority | high | Severity | major | Reproducibility | always |
Status | acknowledged | Resolution | open | ||
Product Version | 4.9.2 / 5.2.2 | ||||
Target Version | Fixed in Version | ||||
Summary | 0006028: Can't change email-address if there is a guest user with the same email-address | ||||
Description | Related to 0006026. Lets say there is a registered user "[email protected]e" and a not registered guest user "[email protected]" in the oxuser-database-table. And if the registered user wants to change his email-address to "[email protected]", the shop won't give an error nor save the new email-address. The reason is, that the table-col "oxuser.oxusername" is unique. So there can't be two entries with the same email-address/oxusername. See "Additional Information" for possible solution. | ||||
Steps To Reproduce | 1. Open new account with email [email protected] – it is a registered user; 2. Purchase product without registration and use email [email protected] for guest user; 3. In the DB are added entries for both users; 4. Login to shop with registered user [email protected]; 5. Go to Account /Billing_and_shipping settings-> Click on the button "CHANGE"; 6. In the email field try to change email address from [email protected] to [email protected] and then submit your changes; 7. In the billing address form is saved new address, but in the DB user field in the table "oxuser" is not updated. | ||||
Additional Information | Possible solution: Delete guest user first before saving the registered user's data with the same email-address. oxuser->checkIfEmailExists() - line 1758: ... // password is not set - allow to override $blExists = false; // Add this line: $oDb->execute('delete from oxuser where oxpassword = "" AND oxusername = ' . $oDb->quote($sEmail)); ... | ||||
Tags | No tags attached. | ||||
Theme | Azure | ||||
Browser | All | ||||
PHP Version | Not defined | ||||
Database Version | Not defined | ||||
|
related to 0001441 0003091 0002701 0005741 it all boils down to the same conceptual question of keeping the data or not. |
|
maybe also related to 0004924 |
|
@FibreFox: It is not related with bug 0004924 because test case is very different. 0004924 the problem is that user cant change mail address in step 2 of the checkout process. In this issue the case is that user can change email address in the form "Account /Billing_and_shipping settings", but email address is not updated in DB |
|
But it goes down to the same data-model :) using mail-address as primary-key is the point, which makes this bug existing, enabling "from-inside-attacks" and openes the door for user-enumeration. |
|
Hi, I would say that's 2 different issues. In 0004924 is a usability issue and in this one I see saving to DB issue. |
|
Hi, I got the same problem, too. Does any hotfix exist to this ticket? Thanks, Dustin |