View Issue Details

IDProjectCategoryView StatusLast Update
0000839OXID eShop (all versions)1. ----- eShop frontend -----public2012-12-10 14:17
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0000839: Method forgotPassword in forgotpwd.php send email, even if user is not a user of current shop
We have two subshops in mall, user A is registered in shop with id 1 an uses the forgotpwd-function in shop with id 2, an email with the passwort-link is sent to the user. Clicking the link lead to shop with id 2 but results in an error saying the link is expired.

The problem resides in the method forgotpwd::forgotPassword(), there should be an additional check if the user is registered in current shop or if config option "blMallUsers" is enabled.

If you provide an email address of a user who is registered in e.g. shop with id 1
Additional InformationSuch case occurs, when option "blMallUsers" is not checked.
PHP Version
Database Version


has duplicate 0001273 resolvedsarunas_valaskevicius forgot password emails with wrong links - wrong database query in oxemail::sendForgotPwdEmail() 



2009-09-04 15:02

reporter   ~0001656

now there is a check performed for blMallUsers, if it is set, old behaviour is left, while if blMallUsers == 0, there is strict checking of shop id (in where clause of sql) [oxemail::sendForgotPwdEmail]