Frontend Customer checkLimit not working as expected in TYPO3

[danielsiepmann]

Our customer called us, because one of the shop customers didn't got his account created.
We found the following entry within the aimeos log: Unable to create an account: Temporary limit reached.
We tracked it down to the aimeos/ai-controller-frontend/src/Controller/Frontend/Customer/Standard.php file an checkLimit() method.

This one is well documented and would check whether the same IP ($context->editor()) has already created two accounts within 14400 seconds ( https://github.com/aimeos/ai-controller ... d.php#L461 ).

That's all fine. But using TYPO3 the column customer.editor is not available ( https://github.com/aimeos/ai-typo3/blob ... 3.php#L238 ), leading to ignoring the IP address. This will lead to block new user accounts whenever two new accounts where created within 14400 seconds (=240 minutes = 4 hours).
That doesn't sound well.

We now increased the number of allowed accounts and reduced the number of seconds as temporarily workaround. Maybe it would make sense to add the column to TYPO3 fe_users and have a proper IP based check.

But one should also ensure that the IP is removed after a certain amount of time, due to DSGVO. TYPO3 already offers a scheduler task for that: https://github.com/TYPO3/typo3/blob/12. ... onTask.php this can be configured to also handle the table and field.

We probably will add that as proper solution within the customer installation.

So this post is not a request for help, but a feedback on the current situation with a request to consider the current situation and a whether it would make sense to optimize that situation.

[danielsiepmann]

Another remark: The order passed through but only contained digital products. That leaves the customer in a situation where he pays and receives emails without a way to log in and download the products.

We workaround that by manually creating the user record and linking it to the user.

[danielsiepmann]

Registration for anonymization can be done this way in ext_localconf.php:

Code: Select all

\TYPO3\CMS\Core\Utility\ArrayUtility::mergeRecursiveWithOverrule($GLOBALS['TYPO3_CONF_VARS'], [
    'SC_OPTIONS' => [
        'scheduler' => [
            'tasks' => [
                \TYPO3\CMS\Scheduler\Task\IpAnonymizationTask::class => [
                    'options' => [
                        'tables' => [
                            'fe_users' => [
                                'dateField' => 'crdate',
                                'ipField' => 'aimeos_editor',
                            ],
                        ],
                    ],
                ],
            ],
        ],
    ],
]);

Where aimeos_editor is the actual column name. Note that anonymization will replace the last parts of the address with 0 …

Creation of the column can happen within ext_tables.sql:

Code: Select all

CREATE TABLE fe_users (
    aimeos_editor varchar(39) DEFAULT '' NOT NULL,
);

And this is our patch to the aimeos package:

Code: Select all

diff --git a/config/mshop/customer.php b/config/mshop/customer.php
index d99e791..4caa9dd 100644
--- a/config/mshop/customer.php
+++ b/config/mshop/customer.php
@@ -647,9 +647,9 @@ return array(
 						"title", "first_name", "last_name", "address", "zip", "city", "zone",
 						"language", "telephone", "email", "fax", "www", "longitude", "latitude",
 						"date_of_birth", "disable", "password", "tstamp", "static_info_country",
-						"usergroup", "pid", "siteid", "crdate"
+						"usergroup", "pid", "siteid", "crdate", "aimeos_editor"
 					) VALUES ( :values
-						?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?
+						?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?
 					)
 				',
 			),
@@ -661,7 +661,7 @@ return array(
 						"first_name" = ?, "last_name" = ?, "address" = ?, "zip" = ?, "city" = ?, "zone" = ?,
 						"language" = ?, "telephone" = ?, "email" = ?, "fax" = ?, "www" = ?, "longitude" = ?,
 						"latitude" = ?, "date_of_birth" = ?, "disable" = ?, "password" = ?, "tstamp" = ?,
-						"static_info_country" = ?, "usergroup" = ?, "pid" = ?
+						"static_info_country" = ?, "usergroup" = ?, "pid" = ?, "aimeos_editor" = ?
 					WHERE ( "siteid" LIKE ? OR siteid = \'\' ) AND "uid" = ?
 				',
 			),
diff --git a/src/MShop/Customer/Manager/Typo3.php b/src/MShop/Customer/Manager/Typo3.php
index 888b302..cddd8b3 100644
--- a/src/MShop/Customer/Manager/Typo3.php
+++ b/src/MShop/Customer/Manager/Typo3.php
@@ -234,11 +234,11 @@ class Typo3
 			'type' => 'datetime',
 			'internaltype' => \Aimeos\Base\DB\Statement\Base::PARAM_STR,
 		),
-		// not available
+		// Added in customer installation
 		'customer.editor'=> array(
 			'label' => 'Customer editor',
 			'code' => 'customer.editor',
-			'internalcode' => null,
+			'internalcode' => 'mcus."aimeos_editor"',
 			'type' => 'string',
 			'internaltype' => \Aimeos\Base\DB\Statement\Base::PARAM_STR,
 		),
@@ -608,12 +608,14 @@ class Typo3
 			$stmt->bind( $idx++, $this->pid, \Aimeos\Base\DB\Statement\Base::PARAM_INT ); // TYPO3 PID value
 
 			if( $id !== null ) {
+                $stmt->bind( $idx++, $context->editor(), \Aimeos\Base\DB\Statement\Base::PARAM_STR ); // IP Address
 				$stmt->bind( $idx++, $context->locale()->getSiteId() . '%' );
 				$stmt->bind( $idx, $id, \Aimeos\Base\DB\Statement\Base::PARAM_INT );
 				$item->setId( $id );
 			} else {
 				$stmt->bind( $idx++, $this->siteId( $item->getSiteId(), \Aimeos\MShop\Locale\Manager\Base::SITE_SUBTREE ) );
-				$stmt->bind( $idx, time(), \Aimeos\Base\DB\Statement\Base::PARAM_INT ); // Creation time
+				$stmt->bind( $idx++, time(), \Aimeos\Base\DB\Statement\Base::PARAM_INT ); // Creation time
+                $stmt->bind( $idx++, $context->editor(), \Aimeos\Base\DB\Statement\Base::PARAM_STR ); // IP Address
 			}
 
 			$stmt->execute()->finish();

[aimeos]

The IP address is only used if the user is not logged in:
https://github.com/aimeos/aimeos-typo3/ ... t.php#L338

The IP address (or the user e-mail address) also stored in the mshop_order table along with the order instead of the fe_users table. If the mshop_order.editor column contains an empty value, the problem is likely here:
https://github.com/aimeos/aimeos-typo3/ ... #L332-L339

Or there could be a problem here because only the user ID is updated, not the editor in the context:
https://github.com/aimeos/ai-client-htm ... rd.php#L55

Also, don't care about storing the IP address because of DSGVO. The order already contains the full address of the customer which is much more sensitive personal data.

[danielsiepmann]

Thanks for your answer. I could verify that the context contains the IP address.

The issue then still seems to be https://github.com/aimeos/ai-typo3/blob ... 3.php#L238 in combination with https://github.com/aimeos/ai-controller ... d.php#L504 as the check happens against the user table, not the order table. And the column is not defined for the user table.

[aimeos]

You are right, it's about creating new customer accounts, not placing orders.

And indeed, your solution seems to be the only viable one but we can't add it to 2023.10 LTS because of the neccesary database schema change. We will add the "editor" column to the fe_users table for 2024.x but in the meantime, the only option for you is to increase the count and decrease the time in which new customer accounts can be created, e.g. 10 accounts in 300 seconds (depending on how many new accounts to expect).

[danielsiepmann]

Thanks for confirming the issue and approach Can you tell me the column name? We currently apply the patch in our project. So using the same column name would make updates way easier as we only would need to remove our patch.

[aimeos]

Here are the necessary patches:
- https://github.com/aimeos/ai-typo3/comm ... 422d898c56
- https://github.com/aimeos/aimeos-typo3/ ... fcee907d67

[danielsiepmann]

Thank you very much