rubysherpas / forem

The best Rails 3 and Rails 4 forum engine. Ever.
http://forem.herokuapp.com
MIT License
1.55k stars 422 forks source link

unsubscribe link from email not working #662

Open pdcoutinho opened 9 years ago

pdcoutinho commented 9 years ago

Users are sent an email if their subscribed topics are replied.

In said email, there is a link to unsubscribe. That link issues a GET request, but routes show a POST, and the website breaks.

http://example.com/forums/some-forum/topics/some-topic/unsubscribe

forem (1.0.0.beta1) Rails 4.2.0

no route matches get unsubscribe bla bla bla bla ^^

radar commented 9 years ago

Hi @pdcoutinho. Thanks for submitting this issue. Could you please submit a patch to fix it? That would be great. Changing the route to be a GET route should fix it.

Nateowami commented 9 years ago

@radar This was to protect from a CSRF attack. See #522. Perhaps the authenticity_token can be added as a parameter in the URL.

radar commented 9 years ago

Rather than an authenticity token, could we instead have a unique hash on the topic + subscription that is generated + then is passed through in this request? The route will change to a GET request, and the token will make it so that nobody would be able to CSRF-attack a way for people to unsubscribe.

I'm thinking something such as SecureRandom.hex(24) should be fine for this.

radar commented 9 years ago

Patches welcome to fix this :) I do not have time myself.

radar commented 9 years ago

Turns out I do have time to fix this.

Please review #669 and let me know if it's suitable for you.