-
Notifications
You must be signed in to change notification settings - Fork 9.4k
Description
Preconditions (*)
- 2.2.4
- 2.2.5
- 2.2.6
- 2.2.7
- 2.2.8
- 2.3.0
- 2.3.1
Steps to reproduce (*)
- Setup multi-store site with at least 2 websites
- Configure customer accounts to be shared globally from admin
- Create a customer account associated to the second website
- Initiate reset password email via rest api at PUT /V1/customers/password
Payload:
{
"email": "user@example.com",
"template": "email_reset"
}
- Receive reset password email from the default store, not the second store
Expected result (*)
- Receive email from the store the customer is assigned to
Actual result (*)
- Received email from the initial default store and not the store the customer is assigned to
Use Case Information
We have a client on Magento Cloud with separate websites setup for each region/language (US, Canada, United Kingdom, Spain, China, Japan, etc.). They have mobile apps that will allow customers to register, sign in, register products (custom), and initiate reset password. We needed separate websites to support different base currencies per website.
The mobile apps don't know which website url to use until a customer authenticates which caused a chicken/egg situation with authentication/account creation. We made customer accounts global so the mobile apps can hit the default website url for authentication and be scoped based on the customer's token/assigned store.
The reset password endpoint appears to ignore the customer's store and use the store derived from the website url scoping.
Investigation
In a couple of other methods in the same \Magento\Customer\Model\EmailNotification
class, the customer's assigned store id is used instead of the store derived from website domain/url scoping:
https://github.com/magento/magento2/blob/2.3.1/app/code/Magento/Customer/Model/EmailNotification.php#L169-L172
https://github.com/magento/magento2/blob/2.3.1/app/code/Magento/Customer/Model/EmailNotification.php#L195-L198
https://github.com/magento/magento2/blob/2.3.1/app/code/Magento/Customer/Model/EmailNotification.php#L220-L223
https://github.com/magento/magento2/blob/2.3.1/app/code/Magento/Customer/Model/EmailNotification.php#L319-L322
This seems to be the only method not using customer's store id, and the one causing this issue:
https://github.com/magento/magento2/blob/2.3.1/app/code/Magento/Customer/Model/EmailNotification.php#L343-L346
I'm sort of confused about which approach is the correct approach on a broader level, relying on the website domain/url for determining website scope, or the data passed in being website aware like in the case of the customer.