As designed Email Confirmation Link valid for other logged in user

Marcus

Well-known member
#1
#1 I login as usernameAdminA in browser1
#2 I create a new usernameB in browser2
#3 The confirmation email link in my email redirects me to standard browser1 and presenting me "The email is confirmed" while logged in as usernameA


I like this behavior. But as other methods like unsubscribing from threads are not working like this, there might be a reason for that (security?).
 

Mike

XenForo developer
Staff member
#2
I think this is a reasonable behavior and eases a potentially subtle failure cause if it were blocked.

I don't think there was a particular reason for blocking unsubscribes based on the logged in user except for the potential for confusion as to who exactly was unsubscribed, but I think that is a very rare case and it's probably not worth accounting for it (as it does create a possible pain point).
 

Marcus

Well-known member
#3
I always add an opt-out link to my mailings, created with the user-hash function, but it is only working when the same user is logged in. If users have multiple accounts, get multiple opt-out links, the link for the other accounts is not working for the logged in user. The links are always working for guest users.

I would very much prefer having xenforo not checked the user hash against the logged in user.
 
Last edited:

Mike

XenForo developer
Staff member
#4
I've changed this for email unsubscribes now to be more consistent/flexible.

As this bug relates to the behavior on confirmation which we're keeping, I'm going to call this as designed.
 
Top