unsubscribe link from email not working

Question

unsubscribe link from email not working

pdcoutinho opened this issue 9 years ago · 5 comments

Users are sent an email if their subscribed topics are replied.

In said email, there is a link to unsubscribe. That link issues a GET request, but routes show a POST, and the website breaks.

http://example.com/forums/some-forum/topics/some-topic/unsubscribe

forem (1.0.0.beta1)
Rails 4.2.0

no route matches get unsubscribe bla bla bla bla ^^

Answer 1 · 2015-06-08T21:47:00.000Z

Hi @pdcoutinho. Thanks for submitting this issue. Could you please submit a patch to fix it? That would be great. Changing the route to be a GET route should fix it.

Answer 2 · 2015-07-02T09:35:12.000Z

@radar This was to protect from a CSRF attack. See #522. Perhaps the authenticity_token can be added as a parameter in the URL.

Answer 3 · 2015-07-12T10:55:25.000Z

Rather than an authenticity token, could we instead have a unique hash on the topic + subscription that is generated + then is passed through in this request? The route will change to a GET request, and the token will make it so that nobody would be able to CSRF-attack a way for people to unsubscribe.

I'm thinking something such as SecureRandom.hex(24) should be fine for this.

Answer 4 · 2015-07-12T11:01:49.000Z

Patches welcome to fix this :) I do not have time myself.

Answer 5 · 2015-07-13T22:10:06.000Z

Turns out I do have time to fix this.

Please review #669 and let me know if it's suitable for you.