Jump to content

Duplicate Client Email Addresses ??


siteAdmin

Recommended Posts

Hi Dev Team,

Since I am new to Blesta I started testing the v3.6.2 for two reasons. 1) I wanted to get it customized for our business 2) Check bugs/security if any. I started testing Blesta on a localhost (laptop) with a trial license.

To my surprise I found that two clients can be created from Blesta Admin Panel with the same (identical) email address. I tested this with client's other data different from one another but the email address. This is not acceptable.

It should NOT be like that. Can someone from Dev Team explain this to me?

Thank you in advance.

 

P.S. I can check this myself. Would appreciate if Dev can pm me the names of the files related to Admin Creating a Client, as I am busy at the mom and don't have time to study all coding in Blesta. Thanks again.

Edited by siteAdmin
added P.S.
Link to comment
Share on other sites

47 minutes ago, Licensecart said:

it's because people are using different usernames.

There are many reasons why a system (client portal in the case of Blesta) should have a UNIQUE email address.

One simple reason is "When one recovers the password".  This is a security measure. An Admin ( or Staff ) may by mistake duplicate email addresses while creating clients. To avoid this the email address should be unique.

There are several other reasons too.

*********************

In fact I was not checking this email address thing purposely. I came across this accidently while trying checking functions of various other inputs in order to develop a plugin for a particular project. But this finding is unexpected.

Link to comment
Share on other sites

29 minutes ago, ariq01 said:

How to prevent this? i got this problem too.

My clients create 2 accounts with same email. And how to force user, to only use email as login. Not username.

like @naja7host (blesta-addons registration page)?

I have not tested this.

It is not a big problem to rectify this once I get familiar with various functions in Blesta application. But to leave it as it is NOT good at all.

Don't worry will get it sorted out soon for good. :)

Link to comment
Share on other sites

51 minutes ago, ariq01 said:

And how to force user, to only use email as login. Not username.

I would really like this as well. Clients sign up, set their username as their email, and then when they come back to log in, they see a "Username" field so they try their most common usernames. They never even think to try their email address. We had to modify our login page to say "Email/Username".

If we could just force everyone to use their email addresses, then this would not be an issue.

If someone needs to open two different accounts, then it's not that hard to use an alias in gmail or cPanel email (such as user+alias@domain.com) for multiple accounts.

Link to comment
Share on other sites

At present it is a Huge Security issue. Because I tested it few mins ago on my localhost (laptop).

It's like this........

Supposing Admin or somebody creates a second (or third or fourth... client) client account duplicating the email address of an existing customer, then if the first client logs in using his/her email address he/she gets access to the last account of the client who has the same email address. This is what I see in the trial v3.6.2 I am testing right now. If there are production Blesta applications with similar issues then it is a HUGE security issue.

This has to be addressed immediately and inform all Blesta users. This is NOT a joke.

Link to comment
Share on other sites

6 minutes ago, siteAdmin said:

At present it is a Huge Security issue. Because I tested it few mins ago.

It's like this........

Supposing Admin or somebody creates a second (or third or fourth... client) client account duplicating the email address of an existing customer, then if the first client logs in using his/her email address he/she gets access to the last account of the client who has the same email address. This is what I see in the trial v3.6.2 I am testing right now. If there are production account with similar issues then it is a HUGE security issue.

This has to be addressed immediately and inform all Blesta users. This is NOT a joke.

I'm not sure if that is possible, as you can log in either with the email on file OR the username you chose. You choose this at sign up, and it cannot be changed without administrator intervention. It will not allow duplicate usernames or email addresses (if you chose that as your username).

Link to comment
Share on other sites

10 minutes ago, John said:

I'm not sure if that is possible, as you can log in either with the email on file OR the username you chose. You choose this at sign up, and it cannot be changed without administrator intervention. It will not allow duplicate usernames or email addresses (if you chose that as your username).

Don't know about front end registrations. I am trying to customise this app for Admin creating clients and issuing invoices. This way the client gets an invitation email. I have not sent any email msgs yet because I am only simulating these issues on a localhost. But again, when you do create clients through Admin panel then the first client gets the wrong mail even if the second client is supposed to receive the invitation e-mail. This happens only if the admin panel creates clients. I have not tested the front end regs yet.

Link to comment
Share on other sites

6 minutes ago, siteAdmin said:

Don't know about front end registrations. I am trying to customise this app for Admin creating clients and issuing invoices. This way the client gets an invitation email. I have not sent any email msgs yet because I am only simulating these issues on a localhost. But again, when you do create clients through Admin panel then the first client gets the wrong mail even if the second client is supposed to receive the invitation e-mail. This happens only if the admin panel creates clients. I have not tested the front end regs yet.

Ah, that might be the case then. We rarely create clients via the admin interface, and when we do, we know that the person has never had an account with us before.

This is probably an oversight on Blesta's part then.

Link to comment
Share on other sites

7 minutes ago, John said:

Ah, that might be the case then. We rarely create clients via the admin interface, and when we do, we know that the person has never had an account with us before.

Yes, I came across this because I am trying to customise Blesta for a special purpose. Otherwise I wouldn't have noticed this. This will not be when you create few customers. But a huge issue when several staff members are allowed to create clients. There is a possibility someone may create, by mistake,  a client with a duplicate email address. I am just checking all possible loopholes and I want to rectify them before using Blesta on production.:)

Link to comment
Share on other sites

That's not possible even in the admin area! If you try and use the same username you get this error: "That username has already been taken."

Video: http://screencast.com/t/Ji6LTO5uljx

So either you are editing the core files and getting this issue or you are trying to say people can make the same email address twice with the same provider and they are getting the emails for a wrong account.

I tried this ages ago with 3.x.x and that is filmed on 4.0.0-b1

Link to comment
Share on other sites

17 hours ago, Licensecart said:

That's not possible even in the admin area! If you try and use the same username you get this error: "That username has already been taken."

Video: http://screencast.com/t/Ji6LTO5uljx

So either you are editing the core files and getting this issue or you are trying to say people can make the same email address twice with the same provider and they are getting the emails for a wrong account.

I tried this ages ago with 3.x.x and that is filmed on 4.0.0-b1

Please create another client with the same data (same option selections etc) except the first name. For the first name use "Mike" or something else. Thanks.

Link to comment
Share on other sites

2 hours ago, Licensecart said:

Still get username is already taken: http://screencast.com/t/yMYTvNgSa0bI

Ok I agree with what say.

But I don't get the "That username has already been taken."  warning. It just goes through and two people with the same email address get registered. May be the fault I get do not come up in the version what you use. I am testing the v3.6.2. I bet you use the v4.0beta or some other.

Well in this case I shall wait until v4.0 is released.

In fact I wanted to make a production install this week with the v3.6.2. I am going to postpone it now.

 

Thanks your assistance.

Cheers!

Link to comment
Share on other sites

1 hour ago, siteAdmin said:

Ok I agree with what say.

But I don't get the "That username has already been taken."  warning. It just goes through and two people with the same email address get registered. May be the fault I get do not come up in the version what you use. I am testing the v3.6.2. I bet you use the v4.0beta or some other.

Well in this case I shall wait until v4.0 is released.

In fact I wanted to make a production install this week with the v3.6.2. I am going to postpone it now.

 

Thanks your assistance.

Cheers!

I don't think you understand. It's nothing to do with the Email addresses! It's the Username...

username.png


I can't make it any clearer unless I can get it to jump out at you :D. And if someone has the same email address anyway then I'd complain to the provider since they shouldn't allow you to have duplicate email accounts.

Link to comment
Share on other sites

I don't see how it's possible to login and access a different customer account. The username must be unique, and when you select "Use email as username", Blesta just saves the email address you entered as the username. Usernames are all stored in the same location, and you must authenticate with the username, not the email address.

Now, back to the topic. Quite a few people have asked for the ability to restrict additional signups using the same email address. This would go hand-in-hand with a setting to force email addresses as the username, and effectively remove the option to specify a different username.

Now, as is the case with us, we have customers who have multiple accounts as a matter of necessity. The same person manages the accounts, but the accounts are for different entities. So, for us this restriction would be detrimental. We created a task for this as part of CORE-1387.

Link to comment
Share on other sites

28 minutes ago, Paul said:

I don't see how it's possible to login and access a different customer account. The username must be unique, and when you select "Use email as username", Blesta just saves the email address you entered as the username. Usernames are all stored in the same location, and you must authenticate with the username, not the email address.

Now, back to the topic. Quite a few people have asked for the ability to restrict additional signups using the same email address. This would go hand-in-hand with a setting to force email addresses as the username, and effectively remove the option to specify a different username.

Now, as is the case with us, we have customers who have multiple accounts as a matter of necessity. The same person manages the accounts, but the accounts are for different entities. So, for us this restriction would be detrimental. We created a task for this as part of CORE-1387.

What is the version you use for demo at https://www.blesta.com/demo/? Your demo site works perfectly as the same email address is not accepted there. But the version (v3.6.2) I downloaded three days ago behaves differently.  You can download it yourself at test it or if you want I can upload the same script I downloaded from your site. In that, unlike your demo site, admin can create two different accounts with the same (identical) address. I know it sounds funny but it is happening like that.

Link to comment
Share on other sites

43 minutes ago, siteAdmin said:

What is the version you use for demo at https://www.blesta.com/demo/? Your demo site works perfectly as the same email address is not accepted there. But the version (v3.6.2) I downloaded three days ago behaves differently.  You can download it yourself at test it or if you want I can upload the same script I downloaded from your site. In that, unlike your demo site, admin can create two different accounts with the same (identical) address. I know it sounds funny but it is happening like that.

Can you screenshot it from the Email address to the "Username" boxes because I bet any money on it they aren't the same usernames. The Email address bit at the top can be the same but the USERNAME can't be the same.

Link to comment
Share on other sites

5 hours ago, Paul said:

I don't see how it's possible to login and access a different customer account. The username must be unique, and when you select "Use email as username", Blesta just saves the email address you entered as the username. Usernames are all stored in the same location, and you must authenticate with the username, not the email address.

Now, back to the topic. Quite a few people have asked for the ability to restrict additional signups using the same email address. This would go hand-in-hand with a setting to force email addresses as the username, and effectively remove the option to specify a different username.

Now, as is the case with us, we have customers who have multiple accounts as a matter of necessity. The same person manages the accounts, but the accounts are for different entities. So, for us this restriction would be detrimental. We created a task for this as part of CORE-1387.

Paul, would you consider changing the login page to include email as well? Example: https://secure.inertianetworks.com/client/login

Especially if you are going to allow forcing the email to be the username, this would prevent confusion.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...