Open pdcoutinho opened 9 years ago
Hi @pdcoutinho. Thanks for submitting this issue. Could you please submit a patch to fix it? That would be great. Changing the route to be a GET
route should fix it.
@radar This was to protect from a CSRF attack. See #522. Perhaps the authenticity_token
can be added as a parameter in the URL.
Rather than an authenticity token, could we instead have a unique hash on the topic + subscription that is generated + then is passed through in this request? The route will change to a GET
request, and the token will make it so that nobody would be able to CSRF-attack a way for people to unsubscribe.
I'm thinking something such as SecureRandom.hex(24)
should be fine for this.
Patches welcome to fix this :) I do not have time myself.
Turns out I do have time to fix this.
Please review #669 and let me know if it's suitable for you.
Users are sent an email if their subscribed topics are replied.
In said email, there is a link to unsubscribe. That link issues a GET request, but routes show a POST, and the website breaks.
http://example.com/forums/some-forum/topics/some-topic/unsubscribe
forem (1.0.0.beta1) Rails 4.2.0
no route matches get unsubscribe bla bla bla bla ^^