As designed Email Confirmation Link valid for other logged in user

[Marcus]

#1 I login as usernameAdminA in browser1
#2 I create a new usernameB in browser2
#3 The confirmation email link in my email redirects me to standard browser1 and presenting me "The email is confirmed" while logged in as usernameA


I like this behavior. But as other methods like unsubscribing from threads are not working like this, there might be a reason for that (security?).

 

[Mike]

I think this is a reasonable behavior and eases a potentially subtle failure cause if it were blocked.

I don't think there was a particular reason for blocking unsubscribes based on the logged in user except for the potential for confusion as to who exactly was unsubscribed, but I think that is a very rare case and it's probably not worth accounting for it (as it does create a possible pain point).

 

[Marcus]

I always add an opt-out link to my mailings, created with the user-hash function, but it is only working when the same user is logged in. If users have multiple accounts, get multiple opt-out links, the link for the other accounts is not working for the logged in user. The links are always working for guest users.

I would very much prefer having xenforo not checked the user hash against the logged in user.

 

[Mike]

I've changed this for email unsubscribes now to be more consistent/flexible.

As this bug relates to the behavior on confirmation which we're keeping, I'm going to call this as designed.