Prevent unauthenticated users from being attached to existing customer accounts via email in the cart

[dezeweetjeniet]

Description:
Currently, when an unauthenticated user enters an email address in the cart that belongs to an existing customer, the system automatically attaches the order to that existing customer. This can lead to privacy issues and confusion, as the current user is not logged in and may not be the owner of the email.

Additionally, if the existing user belongs to a user group with specific pricing rules (e.g., discounts), the “guest” customer receives those benefits, and the orders are recorded in the existing user's order history. This can cause:

• Incorrect pricing for the guest user
• Orders appearing in the wrong user's history
• Potential abuse or accidental misuse of special pricing

Expected behavior:
If an unauthenticated user enters an email that belongs to an existing customer, the system should not automatically attach the order.

Options include:

• Prompting the user to log in or authenticate,
• Treating it as a guest checkout without affecting the existing account,
• Providing a warning that the email is associated with an existing account.

Steps to reproduce:

• Open the cart as an unauthenticated user.
• Enter an email address that is already registered with an existing customer.
• Observe that the order is automatically attached to the existing customer, potentially applying discounts or saving orders to the wrong history.

Suggested solution:

• Introduce a check when an unauthenticated email matches an existing account.
• Prevent automatic attachment of the order without authentication.
• Optionally, provide a clear prompt to guide the user.
• An option within the store settings to enable/disable attaching guest orders to existing customer.

The problem occurs in CartController )when an unauthenticated user enters an email address.
The code uses ensureUserByEmail($email) and automatically attaches the order to that existing customer.

https://github.com/craftcms/commerce/blob/a38a5b5ae5e65f56eeb5e6c345fc47508ad4a716/src/controllers/CartController.php#L270C8-L287C10