• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

As designed Email Confirmation Link valid for other logged in user

Marcus

Well-known member
#1
#1 I login as usernameAdminA in browser1
#2 I create a new usernameB in browser2
#3 The confirmation email link in my email redirects me to standard browser1 and presenting me "The email is confirmed" while logged in as usernameA


I like this behavior. But as other methods like unsubscribing from threads are not working like this, there might be a reason for that (security?).
 

Mike

XenForo developer
Staff member
#2
I think this is a reasonable behavior and eases a potentially subtle failure cause if it were blocked.

I don't think there was a particular reason for blocking unsubscribes based on the logged in user except for the potential for confusion as to who exactly was unsubscribed, but I think that is a very rare case and it's probably not worth accounting for it (as it does create a possible pain point).
 

Marcus

Well-known member
#3
I always add an opt-out link to my mailings, created with the user-hash function, but it is only working when the same user is logged in. If users have multiple accounts, get multiple opt-out links, the link for the other accounts is not working for the logged in user. The links are always working for guest users.

I would very much prefer having xenforo not checked the user hash against the logged in user.
 
Last edited:

Mike

XenForo developer
Staff member
#4
I've changed this for email unsubscribes now to be more consistent/flexible.

As this bug relates to the behavior on confirmation which we're keeping, I'm going to call this as designed.