Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#17875] - Edit Profile retains other users email address

J3 Issue ?
avatar hdouglassmith
hdouglassmith
5 Sep 2017

Steps to reproduce the issue

New install of Joomla 3.7.5 no sample data
Add 2 new users through administrator (both as 'registered')
Add new menu item to main menu for 'Edit User Profile'
In front end login as 1st new registered user
Go to Edit User Profile Page
Change email address and confirm email address to the 2nd registered user
Click Submit
You see the warning message 'The email address you entered is already in use or invalid. Please enter another email address.' - This is expected
Now click Home (to go away from the profile page)
Click Edit User Profile in menu
Page is now populated with the email address previously submitted but rejected

Expected result

Once the new email address has been rejected, it should be cleared from the cache, if the user misses the warning message, and then return to the user profile page, it looks like the email was successfully changed even though it wasn't.

Actual result

Returning to the user profile page shows the rejected email address of the other user

System information (as much as possible)

Database Version 5.6.37-log
Database Collation utf8_general_ci
Database Connection Collation utf8mb4_general_ci
PHP Version 5.6.31
Web Server Apache
WebServer to PHP Interface cgi-fcgi
Joomla! Version Joomla! 3.7.5 Stable [ Amani ] 14-August-2017 12:09 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0

Additional comments

This is a usability issue

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
4.00
avatar hdouglassmith hdouglassmith - open - 5 Sep 2017
avatar joomla-cms-bot joomla-cms-bot - labeled - 5 Sep 2017
avatar brianteeman
brianteeman - comment - 5 Sep 2017

Page is now populated with the email address previously submitted but rejected

This is almost certainly a browser autocomplete issue.

To verify that please try and create the first user in browser a and the second user in browser b.

avatar hdouglassmith
hdouglassmith - comment - 5 Sep 2017

Now tested with Firefox, Chrome and Safari
This is NOT an autocomplete error.

Further test,
Login as 1 of the users
Go to edit profile page
Change email address to address of other user but DO NOT change the confirm email address (now both email addresses are different)
Click Submit
You get an error message as expected
Now go to homepage
Then return to Edit Profile Page
The 2 email addresses are different

The issue is that the 'bad data' is being held in the session, from a userbility perspective it should be cleared after the submit because it is bad data. By holding it in the session cache, when you return to the page it gives the impression the profile has been updated.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17875.

avatar brianteeman
brianteeman - comment - 5 Sep 2017

Sorry for jumping to a conclusion - i can confirm this issue

avatar franz-wohlkoenig franz-wohlkoenig - change - 5 Sep 2017
Status New Discussion
avatar ggppdk
ggppdk - comment - 6 Sep 2017

If form is submited and saving fails

  • then data are added to session to be able to continue editing and correct the error without re-typing

Normally we need some way to decide how to clear the data from session

  • so this is done when user clicks the edit link again
  • or when user click cancel

The profile controller is overriding the "edit" task

  • but unlike the code in default edit task it lacks clearing the session data
  • also session data are not cleared when you click cancel
// This line is missing from edit task of profile coontroller
\JFactory::getApplication()->setUserState('com_users.edit.profile.data', null);

// Redirect to the edit screen.
$this->setRedirect(JRoute::_('index.php?option=com_users&view=profile&layout=edit', false));

so if the edit task is patced to have the missing statement this will be fixed

  • that is when you use this edit that goes through edit task

index.php?option=com_users&task=profile.edit&user_id=770

but if you use link from menu "edit user profile":
index.php?option=com_users&view=profile&layout=edit&Itemid=NNN

then you will not go through edit task and you will have same problem

  • not security issue here , the view itself check if user is logged before access user's profile
    but the bad is that without going though edit task, we cannot easily detect if session data needs to be cleared
avatar brianteeman brianteeman - change - 25 Mar 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 25 Mar 2018
avatar franz-wohlkoenig franz-wohlkoenig - change - 5 Mar 2019
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2019-03-05 06:10:46
Closed_By franz-wohlkoenig
avatar joomla-cms-bot joomla-cms-bot - change - 5 Mar 2019
Closed_By franz-wohlkoenig joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 5 Mar 2019
avatar joomla-cms-bot
joomla-cms-bot - comment - 5 Mar 2019

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/17875

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 5 Mar 2019

closed as having Pull Request #24088

Add a Comment

Login with GitHub to post a comment