Project

General

Profile

Actions

Feature #99904

open

Process for E-Mail Recovery if an E-Mails is used in more than one fe_user

Added by Timo Poppinga almost 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
felogin
Start date:
2023-02-09
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

if an e-mail is used more than one fe_user only the first matching record is fetched:

https://github.com/TYPO3-CMS/felogin/blob/main/Classes/Domain/Repository/FrontendUserRepository.php#L134

and in the recovery mail:

https://github.com/TYPO3-CMS/felogin/blob/main/Classes/Controller/PasswordRecoveryController.php#L62

Only one link is set.

If a mail is used more than ones, the recovery mail shooed have a List with all users matching this mail and a recovery link for each user

Actions #1

Updated by Torben Hansen almost 2 years ago

  • Category set to felogin

You have multiple frontend users in the same storage folder an at least 2 of those frontend users share the same email address? What exactly is the use case for this scenario? Different users with different access permissions maybe?

From a security perspective it is also not a good idea and bad design to allow the same email address for multiple users within the same storage folder (yes, TYPO3 actually allows this). If e.g 2 individuals use the same email account and have 2 unique frontend user accounts in TYPO3, which both use the same email address, then it can not be verified, that the account owner actually changed the password in the password reset process.

I do not agree, that TYPO3 should support this scenario, since it adds an additional layer of complexity to ext:felogin and the password reset process.

Actions #2

Updated by Timo Poppinga almost 2 years ago

Hi Torben,

Thanks, for your reply!

In the real life are numerous scenarios where multiple accounts with one mail address are meaningful,

I will give you to:

1. You have a family, Mum, Dad, Son and Daughter, using one family Mail-Adress like . Which also undermine your Security Argument to some extent.

2. You have a Service-Portal e.g. an B2B Portal with different Accounts and Subjects like Company1 and Company2 witch needs to be for security and regulatory reasons separate. It happens right often that the same persons with the same E-mail is responsible for two accounts like Bookkeeper, Business Owner with more than one Company, Freelancer a.s.o.

Long story short, we do have many cases and projects where the same mail is used and this in a reasonable use and not in an edge cases scenario.

If we support accounts with the same E-Mail what we should do, we need a proper password reset process. I can compromise that the password reset will be then done via the username.

Btw, E-Mail use in private array is more than dead!
In business, it will be probably the same, so we should think about more modern Concepts for Authentication and Password recovery, but this is another topic.

Actions #3

Updated by Torben Hansen almost 2 years ago

Your examples do not really convince me. Think of a website with a forum. For your first scenario, son could reset daughters password and write a personal message to mum saying something bad. Daughter can not prove it was not her who wrote the message. This is a general problem with sharing accounts or email addresses.

The TYPO3 backend login does also not consider this scenario and rejects to send a password recovery email, if multiple backend accounts with the same email address exist.

So I would still not support this core-wise and would opt for streamlining the password recovery feature for ext:felogin with how the TYPO3 backend handles it (send no email, if multiple accounts with the same email exist and show a message instead).

A new PSR-14 event could be added, where developers can implement a process that fulfills project requirements.

Actions #4

Updated by Timo Poppinga almost 2 years ago

So if a family has the problem you described, they have a profound trust problem that we cannot solve technically and should be solved through social work. By the way, I am also talking about children younger than 6 years, where the guardians decide not to create email addresses for the children, which I respect.

Your proposal is good because the standard will be: one account one email address. As far we can customize it via an event, it is fine for me.

BTW: in TYPO3 11 the reset with multiple Emails is broken, see issue: 99902

Actions #5

Updated by Benni Mack over 1 year ago

  • Target version changed from 12 LTS to Candidate for Major Version
Actions

Also available in: Atom PDF