CUNY Academic Commons

Looking at your subscription levels in the database, you are subscribed to 'All Email' in all but a handful of your groups. The CAC group, along with "The GC Running Group", are the only ones where you have a 'No Email' setting.

I'm unsure how it could have been changed. Can you look back to see when you last received an email notification from the group?

the last one I see is from Mon, Jul 30, 2018 at 10:48 PM

Thanks. According to the activity logs, the next activity item posted to the group after 2018-07-30 22:48 was at 2018-08-02 13:32:52. This would've been the first item from this group whose notification you missed. I've scoured the Apache access logs between those two times for the two different kinds of requests that might suggest a subscription change: 1. a POST to admin-ajax.php that has cac-community-team-project-planning as part of the referer string, and 2. a POST to your settings page. I didn't find anything. So I'm fairly sure this was not a manual settings change.

This means it must be some sort of bug, but without more information, I'm unsure that I have enough information to figure out where the bug might be. Ray, do you have any ideas?

I've collected all the data I think I can get from the current state of the database etc, so Matt, I think you can go ahead and change your subscription level back to All Email if you'd like.

Okay -- thank you, Boone!

Recurred in #10359.

Matt, can you please look through your email to see when you last received an email from this group?

I have a suspicion that one of two things is happening:
1. The lack of nonce protection and proper permission checks in several of BPGES's subscription handlers is leaving open the possibility of accidental self-CSRF. See eg ass_user_unsubscribe_form(), ass_group_ajax_callback()
2. The fact that Matt's user ID is 1 is causing some sort of weirdness when a non-integer value is passed to ass_group_subscription(), where it gets cast to 1.

I'll dig through the code, but in the meantime it'd be helpful to have info about the last confirmed received email from Matt.

(In the meantime, Matt, go ahead and resubscribe.)

I linked #9076 to this ticket because Matt also described these problems on NYCDH, and forwarded me a NYCDH report last night.

I had previously set up some logs in Group Email Subscription to figure out what might be happening.

Here's the code that I am using to log what is happening, FWIW:

/**
 * Log GES changes.
 */
add_filter( 'update_group_metadata', function( $retval, $object_id, $meta_key, $meta_value ) {
    if ( 'ass_subscribed_users' !== $meta_key ) {
        return $retval;
    }

    ray_log( 'group sub group ID: ' . $object_id );
    ray_log( 'group sub update: ' . print_r( $meta_value, true ) );
    ray_log( 'group sub backtrace: ' . wp_debug_backtrace_summary() );
    return $retval;

}, 10, 4 );
add_action( 'ass_group_subscription', function( $user_id, $group_id, $action ) {
    ray_log( "group sub change: user ID - {$user_id}, group ID - {$group_id}, action - {$action}" );
}, 10, 3 );

(Code above will need amending for GES 3.9.x. These logs were set up for 3.8.x in mind.)

What I discovered just now is the "Unsubscribe from this group" link, added by the Group Email Subscription plugin and located in the email footer, could be the cause of the problem.

What might be happening is some email clients could be auto-scanning email links and are following these links to confirm the safety of the link. If that happens, then a user can have their email notifications turned off for the group without prior warning.

Boone, we might have to do the same thing we did to BuddyPress activation emails, which is that the user needs to click on a button to confirm unsubscription from the group, instead of just auto-unsubscribing them as we do now.

this sounds like a likely possibility to me, too -- great thinking, Ray, and thanks!