Updating Drupal Commerce created usernames
Thanks to the work of the Drupal security team, we released Drupal Commerce 7.x-1.10 on September 10 to address an information disclosure vulnerability. Last week we released a companion module to that update, Commerce Username Update, to help administrators manage the username update the release requires. The new version also includes a handful of minor bug fixes and a new feature to better support free order notifications on the checkout form.
While Drupal does not consider usernames to be private information, it does consider user e-mail addresses to be kept private. Unfortunately, a default anonymous checkout completion rule in Drupal Commerce versions prior to 7.x-1.0 created a new user account using the customer's e-mail address as their username. Sites with user accounts created on behalf of users via this rule are open to e-mail addresses being exposed to any user (or web crawler) with access to view user profiles or lists of usernames.
The security advisory and release notes for the update both describe the update process. The fix for the vulnerability was delicate, because we couldn't just up and change usernames without notifying users about the change. However, we have no clue how any given site may choose to notify its users or if it's even necessary - for example, a site may be using a module like E-mail Registration to allow users to log in via e-mail address instead of username.
Therefore, administrators who wanted to update usernames as part of the module update process were instructed to set a site variable prior to running update.php. Administrators who didn't do this or chose not to is still required to update usernames, so we released the Commerce Username Update module to allow them to run the same update via a form under the store configuration menu. Instructions for that module can be found on its module page.
Finally, as I said above, the release wasn't just bug fixes - it also includes a cool new feature we've been sitting on for a while. Drupal Commerce has always supported free orders out of the box, but it never previously had a way to show a specific free order notification in the checkout form. If an order total was $0 and the site's payment method rules were configured to only show payment methods for order totals over $0, then the customer would just proceed and "hopefully" guess that their order was legitimate. Now administrators have a variety of options to manage the message that appears (or doesn't appear) when no payment methods are shown for free orders.