Re: X-Cart v5.3.5: Better Email Delivery, Multivendor Improvements, Orders Feed for Royal
Found really annoying behavior and to me this is a bug in the system.
When login in (admin or storefront) XC is searching for accounts to match the email address entered as login. If found it selects the first one.
At this stage it completely ignores everything but the email. It doesn't matter if password matches or if the login is for the admin or storefront.
This is a problem for any store upgrading from XC4 to XC5 when there are multiple accounts with same email. In XC4 you can have admin and customer accounts share the same email address/login. The check for which account to select at login is based on the area you are login into. And if there are multiple account with same email for storefront - it depends if this is anonymous account or not.
XC5 ignores all that.
Moving site from XC4 to XC5. There are 2 accounts with same email - one for admin and one for customer. The customer account has lower userid as it was created before the admin account. So when this is migrated to XC5 and you try to login to admin - guess what - XC5 finds the customer account (it is listed first as it has lower id) and of course the login to admin will fail.
This is because XC5 searches for accounts with "email", then selects the first one. Then checks if this is an admin account. Then checks if password matches...
But all these secondary checks are performed on an account which was selected solely based on email address only.
This is really not how it should be done. The conditions for the search should include "email and is admin or not (based on which area the login is for)".
While you are not allowed to create multiple accounts with same email address from admin (or as customer) going through a direct database import can lead to issues like this.
And since we do have separation of accounts roles to begin with I don't see the reason for not allowing admin and customer accounts to share email addresses. Determination of which account can login where must be done based on the role assigned to the account not by email. Otherwise the role is useless.