shopinvader_guest_mode: create() allow to be bound to existing res.partner

shopinvader / odoo-shopinvader

Odoo Modules. Sorry Magento, Shopinvader is coming

GNU Affero General Public License v3.0

121 stars 104 forks source link

shopinvader_guest_mode: create() allow to be bound to existing res.partner #597

Closed rousseldenis closed 1 year ago

rousseldenis commented 4 years ago

When creating guest partner with an existing email, the binding is correctly archived but the new one is bound with existing res.partner.

That is potentially security issue as you can log in (as guest) and be bound to existing partner without password...

@acsonefho @lmignon

github-actions[bot] commented 1 year ago

There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.