2

Between these two commits, around line 1136, one of the differences/additions is below:

  1. https://github.com/magento/magento2/blob/524cb8037aaf0cf1835077a9fdbb2f7dc706e9e4/app/code/Magento/Customer/Model/AccountManagement.php
  2. https://github.com/magento/magento2/blob/44265c9c69b2ab860f1c3461a097581d1f01fa40/app/code/Magento/Customer/Model/AccountManagement.php

I am failing to see how having the $guestLoginConfig check would play a part in determining if a given email address is available (aka does not belong to an existing customer already, as I understand the purpose of this function to essentially be). It has broken a custom plugin we rely on. Can anyone explain why it was added? I appreciate any insight.

public function isEmailAvailable($customerEmail, $websiteId = null)
{
    // BEGIN NEWLY ADDED CODE
    $guestLoginConfig = $this->scopeConfig->getValue(
        self::GUEST_CHECKOUT_LOGIN_OPTION_SYS_CONFIG,
        ScopeInterface::SCOPE_WEBSITE,
        $websiteId
    );

if (!$guestLoginConfig) {
    return true;
}
// END NEWLY ADDED CODE

try {
    if ($websiteId === null) {
        $websiteId = $this->storeManager->getStore()->getWebsiteId();
    }
    $this->customerRepository->get($customerEmail, $websiteId);
    return false;
} catch (NoSuchEntityException $e) {
    return true;
}



}
johnsnails
  • 123
  • 5
  • The addition of the $guestLoginConfig check in the isEmailAvailable() function allows handling scenarios where guest checkout is disabled. If guest login is disabled, the function immediately returns true, indicating that the email is available. This change aligns the function's behavior with the guest checkout configuration but may affect custom plugins relying on the previous behavior. Custom code or plugins should be adjusted to handle the updated logic or contact the plugin developer for compatibility. – Banna Online Jul 03 '23 at 06:06

1 Answers1

6

This change is for security purposes.

The default behavior of the isEmailAvailable GraphQL query and (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the API now always returns true. Merchants can enable the original behavior, which is to return true if the email does not exist in the database and false if it exists.

Besides the change in the isEmailAvailable method, there is a new configuration setting in the Stores > Configuration > Sales > Checkout Configuration to allow guests to login in the checkout. It is set to disable by default, which equals the method isEmailAvailable always returns true.

This change was added by the Adobe security team since the most recent release for (Feature + patch release + security patch release), you can check the following commits: https://github.com/magento/magento2/search?q=AC-6695&type=commits

Tu Van
  • 6,868
  • 2
  • 11
  • 22
  • Thank you for the detailed answer and pointing me to where the setting can be configured. – johnsnails Jul 04 '23 at 01:49
  • 1
    @johnsnails My pleasure. You also have a good question! – Tu Van Jul 04 '23 at 02:53
  • @TuVan Is there any way we can overide that function to handle a logic? It has been overided in older version using preference and it worked well but after we did a upgrade it stops working – aravind Sep 30 '23 at 12:27
  • @aravind This change only modifies the logic inside the isEmailAvailable method. Since you overriding that method using preference, it should work as expected. You can use Logger or Xdebug to add log messages or set breakpoints to identify which method (the original method or your method) is called. – Tu Van Sep 30 '23 at 16:30
  • @TuVan Preference didn't work as it's odd so I used plugin and overided the method and it worked – aravind Oct 03 '23 at 11:56