Email unsubscribe doesn't work for an account not currently logged in
-
So instead of making a sane system, one that uses a token to unsubscribe and burns the token if used... they require you to be LOGGED IN to unsubscribe from emails.
Yeah, that doesn't have the potential for abuse at all.
@Sam, you should probably look in to getting this fixed before v1. The abuse is on par with password resets not being rate limited.
-
What's the alternative? Letting anyone who gets the notification unsubscribe you? What if you forward the notification to your grandma and she clicks the button? It'll be pure chaos, end of days, cats and dogs sleeping together. CLOSED WONTFIX, BYDESIGN
-
You just confuse them when you say that.
-
So instead of making a sane system, one that uses a token to unsubscribe and burns the token if used... they require you to be LOGGED IN to unsubscribe from emails.
Reference: http://theoatmeal.com/comics/email
-
So instead of making a sane system, one that uses a token to unsubscribe and burns the token if used... they require you to be LOGGED IN to unsubscribe from emails.
Define "if used"
If it's used when the page loads, what happens if I open it on my phone, my phone dies, then I try to open it on my computer?
-
Close the email account, it belongs to the notifications now.
-
Email unsubscribe has two options:
- When the page loads, unsubscribe based off of the token provided in the email
- When the page loads, the user clicks a confirmation button to remove their email
Neither one matters if you're logged in or not to another account, since you're working off a generated UID.
Burn the token when your selected method is achieved.
-
Burn the token when your selected method is achieved.
Ok, that's what I was looking for.
I generally like option 2, because if a virus scanner checks out the URL for option 1, it unsubscribes you.
-
Filed:
https://bitbucket.org/masamunewos/discoursebugs/issue/29/email-unsubscribe-doesnt-work-if-you-are
-
Email unsubscribe has two options:
- When the page loads, unsubscribe based off of the token provided in the email2) When the page loads, the user clicks a confirmation button to remove their email
Neither one matters if you're logged in or not to another account, since you're working off a generated UID.
Burn the token when your selected method is achieved.
This is also considered generally accepted best practice to stay in compliance with the CAN-SPAM Act. Not a requirement per se, but is the best way to stay in compliance. Not particularly difficult to implement either. You can recycle tokens on a 30-day cycle.