View Issue Details
|OXID eShop (all versions)
|1. ----- eShop frontend -----
|Fixed in Version
|0000839: Method forgotPassword in forgotpwd.php send email, even if user is not a user of current shop
We have two subshops in mall, user A is registered in shop with id 1 an uses the forgotpwd-function in shop with id 2, an email with the passwort-link is sent to the user. Clicking the link lead to shop with id 2 but results in an error saying the link is expired.
The problem resides in the method forgotpwd::forgotPassword(), there should be an additional check if the user is registered in current shop or if config option "blMallUsers" is enabled.
If you provide an email address of a user who is registered in e.g. shop with id 1
|Such case occurs, when option "blMallUsers" is not checked.