Reset password email sent from wrong store

[Axel29]

Preconditions (*)

1. Magento >= 2.3.4 (tested on Magento 2.3.4)

Steps to reproduce (*)

1. Login to Magento Backend
2. Go to Stores > All Stores and create a new website and a new store associated to that website
3. Go to Stores > Configuration > General > Web and use a different domain for the new website
4. Go to Stores > Configuration > General > General > Locale Options and set the new store's language to a different one from the default store
5. Go to Stores > Configuration > Customers > Customer Configuration > Account Sharing Options and enable account sharing
6. Go to Magento Store Frontend in the first (default) store
7. Create a customer account
8. Go to the second store
9. Go to the forgot password page and send the form using the email used in step 6 (create a customer account)

Expected result (*)

1. Customer receives an email sent in the correct language
2. Customer gets redirected to the login page of the second store view
3. The URL in the footer is the one of the second store view

Actual result (*)

1. Customer receives an email sent in the language of the store he created his account in
2. Customer gets redirected to the login page of the store he created his account in
3. The URL in the footer is the one of the store he created his account in

Explanation

The bug seems to have appeared in Magento 2.3.4 after changing the method \Magento\Customer\Model\EmailNotification::passwordResetConfirmation.

Before Magento 2.3.4, the code did this:

    public function passwordResetConfirmation(CustomerInterface $customer)
    {
        $storeId = $this->storeManager->getStore()->getId();
        if (!$storeId) {
            $storeId = $this->getWebsiteStoreId($customer);
        }

        $customerEmailData = $this->getFullCustomerObject($customer);

        $this->sendEmailTemplate(
            $customer,
            self::XML_PATH_FORGOT_EMAIL_TEMPLATE,
            self::XML_PATH_FORGOT_EMAIL_IDENTITY,
            ['customer' => $customerEmailData, 'store' => $this->storeManager->getStore($storeId)],
            $storeId
        );
    }

but was changed to this:

    public function passwordResetConfirmation(CustomerInterface $customer)
    {
        $storeId = $customer->getStoreId();
        if (!$storeId) {
            $storeId = $this->getWebsiteStoreId($customer);
        }

        $customerEmailData = $this->getFullCustomerObject($customer);

        $this->sendEmailTemplate(
            $customer,
            self::XML_PATH_FORGOT_EMAIL_TEMPLATE,
            self::XML_PATH_FORGOT_EMAIL_IDENTITY,
            ['customer' => $customerEmailData, 'store' => $this->storeManager->getStore($storeId)],
            $storeId
        );
    }

The problem si that the customer's store ID is retrieved instead of the current store ID.

I think the issue was introduced in this GitHub issue: https://github.com/magento/magento2/issues/5726 which clearly didn't take into account the multi-website / multi-domain and frontend email.

[m2-assistant[bot]]

Hi @krishprakash. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[neddy236]

I confirm this issue is still valid in 2.3.5p2 and reverting it to the old method works fine.

[m2-assistant[bot]]

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Delta]

Hi @Axel29 thank you for your report. Is issue reproducible with "Account Sharing Options=Global" ? Could you clarify point 5 from Steps to Reproduce section?

[Axel29]

Hi @engcom-Delta yes that is exactly what I meant in step 5, enable sharing accounts globally.

[engcom-Delta]

@Axel29 \Magento\Customer\Model\EmailNotification::passwordResetConfirmation by PR https://github.com/magento/magento2/pull/24783 to fix issue https://github.com/magento/magento2/issues/23295 Current behavior should be discussed as improvement in scope of Feature Request to save changes from https://github.com/magento/magento2/pull/24783 related to api Manual testing scenario: Case 1:

1. Set Add Store Code to Urls=Yes
2. Go to Magento Store Frontend in the first (default) store
3. Create a customer account
4. Go to the second store
5. Go to the forgot password page and send the form using the email used in step 3 (create a customer account)

Current behavior:

• Customer gets redirected to the login page of additional website view
• Customer receives an email sent on english (default website locale)
• Set a New Password link from email leads to default website

Case 2:

1. Set Add Store Code to Urls=Yes
2. Go to Magento Store Frontend in the additional (second) store
3. Create a customer account
4. Go to the default store
5. Go to the forgot password page and send the form using the email used in step 3 (create a customer account)

Current behavior:

• Customer gets redirected to the login page of default website view
• Customer receives an email sent on german (additional website locale)
• Set a New Password link from email leads to additional website

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 14 days if no further activity occurs. Is this issue still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? Thank you for your contributions!

[Axel29]

The issue is still relevant.

[neddy236]

The problem with our installation is a double edged blade case. Both approaches seems correct. We had 1 website with 2 store views

Example if the customer was opened in english store ( id: 2) magento tries to attach store id 2 url for the customer to reset the password.

The problem was that english store was disabled, so the customer got redirected to homepage. Proposed solution to this is to add a check if the customers store code is disabled send the email from the store id that it was requested. On this case store id 1.

The old code makes a lot more sense though because if the customer navigates to a store view that he understands the language then its ok to send him email with links with the store url that they were requested.

[ledian-hymetllari]

hi @Axel29, based on your code, looks like one line of code has been changed $storeId = $this->storeManager->getStore()->getId(); to $storeId = $customer->getStoreId();

Have you tried to revert this change and create a PR with Magento?

[Nuranto]

I have the same issue for user created from admin. They have store_id = 0, website_id = 7. So the store_id does not fit.

The behavior of having store_id = 0 when created from admin is actually a M1 bug, so the issue is on data migration tool. A simple fix for that is to update store_id in customer table.

Hope it helps.

[warngard]

We are experiencing this without migrated data and also without "Account Sharing Options=Global" enabled.

However we are creating customers with the API so this is probably why they don't have the same created in and associated with.

[MaksSum41]

@magento I am working on this.

[m2-assistant[bot]]

Hi @MaksSum41! :wave: Thank you for collaboration. Only members of Community Contributors Team are allowed to be assigned to the issue. Please use @magento add to contributors team command to join Contributors team.

[MaksSum41]

@magento add to contributors team

[m2-assistant[bot]]

Hi @MaksSum41! :wave: Thank you for joining. Please accept team invitation :point_right: here :point_left: and add your comment one more time.

[MaksSum41]

@magento I am working on this.