Donor can modify existing fields of honoree
Overview
Values specified in the honoree fields of a contribution update existing values of the honoree contact record.
Reproduction steps
- Ensure that the unsupervised dedupe rule requires first name and email to match.
- Create an honoree contact: Joe Honoree, joe@honoree.com.
- Create a contribution page with the Honoree section enabled. Use the default honoree profile consisting of first name, last name, email.
- Make a contribution, specifying for the honoree joE WrongName, joe@honoree.com.
Current behaviour
The honoree contact has been changed to joE WrongName.
in addition to the last name in the honoree's contact record being changed completely, the capitalization of the first name has also been changed.
Expected behaviour
Existing fields in the honoree's contact record should not be changeable by a third party (donor). It would be best to create a new contact which can later be manually deduped, rather than to allow a third party to overwrite existing information.
Environment information
- CiviCRM: 5.20.0
- PHP: 7.2.25
- CMS: Drupal 7.30
- Database: MariaDB 10.0