account_edit: Duplicate phpbb email addresses allowed

[lat9]

In an unmodified v1.5.1 Zen Cart with a phpbb linkage established (v3.0.11), create an account in the Zen Cart. Attempting to create an account with the email address of the phpbb administrator (which has no Zen Cart account) is properly denied with a "duplicate email address" error. Continue to create the Zen Cart account with a different email address.

Upon account creation, go to "Your Account" and click "View or change my account information". Within the account_edit screen, change the email address associated with the account to the phpbb administrator's email address. The value is improperly accepted.

The problem lies (starting at line 70) in /includes/modules/pages/account_edit/header_php.php:

Code:

  $check_email_query = "SELECT count(*) AS total
                        FROM   " . TABLE_CUSTOMERS . "
                        WHERE  customers_email_address = :emailAddress
                        AND    customers_id != :customersID";

  $check_email_query = $db->bindVars($check_email_query, ':emailAddress', $email_address, 'string');
  $check_email_query = $db->bindVars($check_email_query, ':customersID', $_SESSION['customer_id'], 'integer');
  $check_email = $db->Execute($check_email_query);

  if ($check_email->fields['total'] > 0) {
    $error = true;
    $messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);

    // check phpBB for duplicate email address
    if ($phpBB->phpbb_check_for_duplicate_email(zen_db_input($email_address)) == 'already_exists' ) {
      $error = true;
      $messageStack->add('account_edit', 'phpBB-'.ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
    }
  }

The check for a phpbb duplicate email is being performed only if there's a duplicate email address in the Zen Cart database. Making the following changes to move the phpbb-check outside of the other if-clause corrects the issue:

Code:

  $check_email_query = "SELECT count(*) AS total
                        FROM   " . TABLE_CUSTOMERS . "
                        WHERE  customers_email_address = :emailAddress
                        AND    customers_id != :customersID";

  $check_email_query = $db->bindVars($check_email_query, ':emailAddress', $email_address, 'string');
  $check_email_query = $db->bindVars($check_email_query, ':customersID', $_SESSION['customer_id'], 'integer');
  $check_email = $db->Execute($check_email_query);

  if ($check_email->fields['total'] > 0) {
    $error = true;
    $messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
  }

  // check phpBB for duplicate email address
  if ($phpBB->phpbb_check_for_duplicate_email(zen_db_input($email_address)) == 'already_exists' ) {
    $error = true;
    $messageStack->add('account_edit', 'phpBB-'.ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
  }

P.S. The 'advanced' post editing controls seem have to have disappeared again ...

[lat9]

OK, that change was necessary but insufficient. Now, if I attempt to change the phone number but not the email address, I'm getting a "phpbb-duplicate email address" error.

[lat9]

It turns out that three files require change for this to work properly; changes highlighted in red:

/includes/classes/class.phpbb.php:

Code:

    function phpbb_check_for_duplicate_email($email_address, $nick='') {
      if ($this->phpBB['installed'] != true) return false;
      $status='';

      $check_nick = ($nick == '') ? '' : " AND username != '" . $nick . "'";
      $sql = "select * from " . $this->phpBB['users_table'] . " where user_email = '" . $email_address . "'" . $check_nick;

      $phpbb_users = $this->db_phpbb->Execute($sql);
      if ($phpbb_users->RecordCount() > 0 ) {
        $status='already_exists';
      }
      return $status;
    }

/includes/modules/pages/account_edit/header_php.php, starting at line 70:

Code:

  $check_email_query = "SELECT count(*) AS total
                        FROM   " . TABLE_CUSTOMERS . "
                        WHERE  customers_email_address = :emailAddress
                        AND    customers_id != :customersID";

  $check_email_query = $db->bindVars($check_email_query, ':emailAddress', $email_address, 'string');
  $check_email_query = $db->bindVars($check_email_query, ':customersID', $_SESSION['customer_id'], 'integer');
  $check_email = $db->Execute($check_email_query);

  if ($check_email->fields['total'] > 0) {
    $error = true;
    $messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
  }
    // check phpBB for duplicate email address

    if ($phpBB->phpbb_check_for_duplicate_email(zen_db_input($email_address), zen_db_input($_POST['nick'])) == 'already_exists' ) {
      $error = true;
      $messageStack->add('account_edit', 'phpBB-'.ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
    }
//  }

and then towards the end of the file:

Code:

$account_query = "SELECT customers_gender, customers_firstname, customers_lastname,
                         customers_dob, customers_email_address, customers_telephone,
                         customers_fax, customers_email_format, customers_referral, customers_nick
                  FROM   " . TABLE_CUSTOMERS . " c, " . TABLE_ADDRESS_BOOK . " ab
                  WHERE  c.customers_id = :customersID
                  AND    ab.customers_id = c.customers_id";

and finally, /includes/templates/template_default/templates/tpl_account_edit_default.php, line 16:

Code:

<?php echo zen_draw_form('account_edit', zen_href_link(FILENAME_ACCOUNT_EDIT, '', 'SSL'), 'post', 'onsubmit="return check_form(account_edit);"') . zen_draw_hidden_field('action', 'process') . zen_draw_hidden_field('nick', $account->fields['customers_nick']); ?>

[DrByte]

The phpBB integration will be replaced with notifier points to allow community contribution of a plugin to handle its functionality.

ETA unknown. But plugin submission welcome at any time.

[lat9]

In an unmodified v1.5.1 Zen Cart with a phpbb linkage established (v3.0.11), create an account in the Zen Cart. Attempting to create an account with the email address of the phpbb administrator (which has no Zen Cart account) is properly denied with a "duplicate email address" error. Continue to create the Zen Cart account with a different email address.

I was obviously on another planet when I made the quoted assertion. The unmodified Zen Cart behavior in this instance is to (1) issue no message and (2) not create the phpBB account. The following changes are required in /includes/modules/YOUR_TEMPLATE/create_account.php (starting at line 138 in v1.5.1):

Code:

    if ($check_email->fields['total'] > 0) {
      $error = true;
      $messageStack->add('create_account', ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
      
    } elseif ($phpBB && $phpBB->phpbb_check_for_duplicate_email($email_address) == 'already_exists') {
      $error = true;
      $messageStack->add('create_account', ENTRY_EMAIL_ADDRESS_ERROR_EXISTS . ' (phpBB)');
    }

The phpBB integration will be replaced with notifier points to allow community contribution of a plugin to handle its functionality.

ETA unknown. But plugin submission welcome at any time.

I'm not quite sure how to interpret this. Is your suggestion that the plugin submission include both the proposed notifier points and the corrections noted in this thread?

[lat9]

I'm not quite sure how to interpret this. Is your suggestion that the plugin submission include both the proposed notifier points and the corrections noted in this thread?

OK, I rose to the challenge and the code and documentation in the attachment is my proposal (v1.0.0, Beta 1) for a generic, notifier-point only bulletin board class for Zen Cart v1.5.1 (note that since config.core.php is modified, it's only supported on v1.5.1). The phpBB implementation proposal is also attached; I'm still working on the readme for those files.

Questions, comments and bug reports are welcome; let me know if any resulting discussion should be moved to a separate thread.

[Hulamac]

OK, I rose to the challenge and the code and documentation in the attachment is my proposal (v1.0.0, Beta 1) for a generic, notifier-point only bulletin board class for Zen Cart v1.5.1 (note that since config.core.php is modified, it's only supported on v1.5.1). The phpBB implementation proposal is also attached; I'm still working on the readme for those files.

Questions, comments and bug reports are welcome; let me know if any resulting discussion should be moved to a separate thread.

hello thanks for replying to my thread and directing me here i noticed as quoted above that this would be only for version 1.5.1 how different would this be for 1.5.0, because of the addons im using i have to use 1.5 still would the resulting changes be similar or how could i figure out have to integrate this with my current install?

[lat9]

hello thanks for replying to my thread and directing me here i noticed as quoted above that this would be only for version 1.5.1 how different would this be for 1.5.0, because of the addons im using i have to use 1.5 still would the resulting changes be similar or how could i figure out have to integrate this with my current install?

Hulamac, I've made a couple more changes and released these two plugins as separate items with a combined support thread (http://www.zen-cart.com/showthread.p...Support-Thread). I'll post your question and answer it over there ...

[DrByte]

The phpBB integration will be replaced with notifier points to allow community contribution of a plugin to handle its functionality.

Code waiting for review: https://github.com/zencart/zencart/pull/360

These changes leave all potential duplication of email addresses up to the plugin to manage properly.