1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed Email Confirmation Link valid for other logged in user

Discussion in 'Resolved Bug Reports' started by Marcus, May 22, 2014.

  1. Marcus

    Marcus Well-Known Member

    #1 I login as usernameAdminA in browser1
    #2 I create a new usernameB in browser2
    #3 The confirmation email link in my email redirects me to standard browser1 and presenting me "The email is confirmed" while logged in as usernameA

    I like this behavior. But as other methods like unsubscribing from threads are not working like this, there might be a reason for that (security?).
  2. Mike

    Mike XenForo Developer Staff Member

    I think this is a reasonable behavior and eases a potentially subtle failure cause if it were blocked.

    I don't think there was a particular reason for blocking unsubscribes based on the logged in user except for the potential for confusion as to who exactly was unsubscribed, but I think that is a very rare case and it's probably not worth accounting for it (as it does create a possible pain point).
  3. Marcus

    Marcus Well-Known Member

    I always add an opt-out link to my mailings, created with the user-hash function, but it is only working when the same user is logged in. If users have multiple accounts, get multiple opt-out links, the link for the other accounts is not working for the logged in user. The links are always working for guest users.

    I would very much prefer having xenforo not checked the user hash against the logged in user.
    Last edited: May 22, 2014
  4. Mike

    Mike XenForo Developer Staff Member

    I've changed this for email unsubscribes now to be more consistent/flexible.

    As this bug relates to the behavior on confirmation which we're keeping, I'm going to call this as designed.
    Marcus likes this.

Share This Page