Easy-digital-downloads: Customer record not linking to already-registered WP user

I don't believe so. We chose to only link a new user to an existing
customer with user verification, and I'd have to recall he conversation but
chose not to link a guest customer to an existing user. I think it was

related to file access.

Chris Klosowski
[email protected]
@cklosowski

I wonder if there's something we can do about that. Imagine a community site (running bbPress/BuddyPress or something) decides to open a store. That's potential for hundreds, if not thousands of users making purchases and creating customer records that will not connect to their user accounts. That's a lot for the admin to handle.

Thoughts one what could be done to improve this behavior?

There's probably something we can do.

Personally if you try and make a guest purchase with an email that has a
user, we should prompt you to login. That, while a bit annoying stops the

potential for a lot of disparate data in the long run.

Chris Klosowski
[email protected]
@cklosowski

I raised the ticket Sean. That's my issue with it, I already have 90,000+ registered users on my website but I'm just now switching over to EDD. That's a whole lot of e-mails from users wondering where their purchase history is and more work for me having to manually assign users to purchases if they forgot to log in to buy something.

@nate82 Yeaj I can he concern. We'll have to be careful how we implement to avoid some security concerns.

For your specific case I've seen people write a quick PHP script that iterates through customers, and if they don't have a user ID find the user with that email and associate.

@cklosowski Are you referring to https://github.com/convert/rekko-edd-buy-now/
I just tested that plugin and it does work except it doesn't add the user id or profile info to the customer, only the e-mail address. It'll work for now until you guys figure it out in core.

The idea of a login prompt seems like a lot of potential frustration with forgotten passwords and abandoned carts.

@Nate82 no, it was not a plugin, it was a custom script they wrote.

Frustration, maybe, but honestly I see some issues with automatically associating a guest purchase (logged out user) with an existing user. You can never assume that the person who is logged out (even though they are supplying the same email address) is the same person as the user. That just leads to a breach in association of data.

Just like WordPress comments, if you are logged into a site, and leave a comment with an email address associated with a user account of the same email, it doesn't associate that comment to that user (and that's a far less sensitive issue than a payment record).

Why can't we have some sort of verification system that works the same as when a user account is created using the same email address as a customer record (from a previous guest purchase)?

When the guest purchase is submitted using a WP user's email, we detect that and send out an email with a verification link. Clicking that link connects the account with the customer record. If they have access to that email, I'm not exactly sure how it's a security issue.

@cklosowski I guess there's more to it than I imagine, I'm not a developer. I just don't see why a guest user would use someone else's email address to make a purchase, they would still need to know the user's WordPress password to log in to the account and access any past orders, right? I'm probably missing something, I'll bow out and let you guys handle it lol

@Nate82 Yes, at the base level, it's easy to associate it, but thinking from a 'security' standpoint, associating data when someone isn't really associated can cause a situation where you a store owner can confuse the two, and possibly provide more information than necessary to someone who isn't actually the customer.

Combined with extensions and what not, there are just too many cases where we want to make sure there is some sort of user verification that happens before associating a guest purchase with an existing WordPress user.

I think we should automatically associate the guest customer with the user account. That only makes sense to me.

We already have a user/customer verification system so we can use that to verify the customer already has ownership of the account.

@pippinsplugins yeah I'm fine if we trigger the user verification system, but that could be pretty abrupt to someone who just forgets to login.

Is there a better solution?

I don't think that's abrupt. It's a pretty standard process to buy a service or product from a site and then get an email saying "We need to verify your account! Click here to verify."

Fair enough, I'm fine with auto association as long as it's not without some sort of validation.

Just tell them in the e-mail why they need to verify so it's not so abrupt, something like "Looks like you already have an account with us, click here to verify your email and link this order to your account"

This is ready for testing!

Note, this requires PR for #5689 to be merged first.

This is working well for me on issue/5579. :+1:

Great, merged!