Project

General

Profile

Bug #10144

Subscription set to "no email"

Added by Matt Gold almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
Group Forums
Target version:
Start date:
2018-08-13
Due date:
% Done:

0%

Estimated time:

Description

Hi Boone,

On the CAC team group, my subscription seems to have been set to "No Email," which is a change I did not make. Any idea how this might have happened?


Related issues

Related to NYCDH Community Site - Bug #9076: Email group subscription reset erroneouslyResolved2018-01-11

Related to CUNY Academic Commons - Bug #11086: Users clicking "unsubscribe" on a forwarded CAC group email can unsubscribe a another user from a groupResolved2019-02-12

History

#1 Updated by Boone Gorges almost 4 years ago

Looking at your subscription levels in the database, you are subscribed to 'All Email' in all but a handful of your groups. The CAC group, along with "The GC Running Group", are the only ones where you have a 'No Email' setting.

I'm unsure how it could have been changed. Can you look back to see when you last received an email notification from the group?

#2 Updated by Matt Gold almost 4 years ago

the last one I see is from Mon, Jul 30, 2018 at 10:48 PM

#3 Updated by Boone Gorges almost 4 years ago

Thanks. According to the activity logs, the next activity item posted to the group after 2018-07-30 22:48 was at 2018-08-02 13:32:52. This would've been the first item from this group whose notification you missed. I've scoured the Apache access logs between those two times for the two different kinds of requests that might suggest a subscription change: 1. a POST to admin-ajax.php that has cac-community-team-project-planning as part of the referer string, and 2. a POST to your settings page. I didn't find anything. So I'm fairly sure this was not a manual settings change.

This means it must be some sort of bug, but without more information, I'm unsure that I have enough information to figure out where the bug might be. Ray, do you have any ideas?

I've collected all the data I think I can get from the current state of the database etc, so Matt, I think you can go ahead and change your subscription level back to All Email if you'd like.

#4 Updated by Matt Gold almost 4 years ago

Okay -- thank you, Boone!

#5 Updated by Boone Gorges almost 4 years ago

  • Target version set to Not tracked

#7 Updated by Boone Gorges over 3 years ago

Recurred in #10359.

Matt, can you please look through your email to see when you last received an email from this group?

I have a suspicion that one of two things is happening:
1. The lack of nonce protection and proper permission checks in several of BPGES's subscription handlers is leaving open the possibility of accidental self-CSRF. See eg ass_user_unsubscribe_form(), ass_group_ajax_callback()
2. The fact that Matt's user ID is 1 is causing some sort of weirdness when a non-integer value is passed to ass_group_subscription(), where it gets cast to 1.

I'll dig through the code, but in the meantime it'd be helpful to have info about the last confirmed received email from Matt.

#8 Updated by Boone Gorges over 3 years ago

(In the meantime, Matt, go ahead and resubscribe.)

#9 Updated by Matt Gold over 3 years ago

Hi Boone,

I see two recent emails -- one from today (?!!) and one from Steve. Screenshots attached and please let me know whether you want the email source

#10 Updated by Raymond Hoh over 3 years ago

  • Related to Bug #9076: Email group subscription reset erroneously added

#11 Updated by Raymond Hoh over 3 years ago

I linked #9076 to this ticket because Matt also described these problems on NYCDH, and forwarded me a NYCDH report last night.

I had previously set up some logs in Group Email Subscription to figure out what might be happening.

Here's the code that I am using to log what is happening, FWIW:

/**
 * Log GES changes.
 */
add_filter( 'update_group_metadata', function( $retval, $object_id, $meta_key, $meta_value ) {
    if ( 'ass_subscribed_users' !== $meta_key ) {
        return $retval;
    }

    ray_log( 'group sub group ID: ' . $object_id );
    ray_log( 'group sub update: ' . print_r( $meta_value, true ) );
    ray_log( 'group sub backtrace: ' . wp_debug_backtrace_summary() );
    return $retval;

}, 10, 4 );
add_action( 'ass_group_subscription', function( $user_id, $group_id, $action ) {
    ray_log( "group sub change: user ID - {$user_id}, group ID - {$group_id}, action - {$action}" );
}, 10, 3 );

(Code above will need amending for GES 3.9.x. These logs were set up for 3.8.x in mind.)

What I discovered just now is the "Unsubscribe from this group" link, added by the Group Email Subscription plugin and located in the email footer, could be the cause of the problem.

What might be happening is some email clients could be auto-scanning email links and are following these links to confirm the safety of the link. If that happens, then a user can have their email notifications turned off for the group without prior warning.

Boone, we might have to do the same thing we did to BuddyPress activation emails, which is that the user needs to click on a button to confirm unsubscription from the group, instead of just auto-unsubscribing them as we do now.

#12 Updated by Boone Gorges over 3 years ago

  • Target version changed from Not tracked to 1.13.10

Thanks, Ray! That's almost certainly what's happening.

Is there a quick way we can remove the Unsubscribe link from Commons emails until we get this sorted out in BPGES?

#13 Updated by Matt Gold over 3 years ago

this sounds like a likely possibility to me, too -- great thinking, Ray, and thanks!

#14 Updated by Boone Gorges over 3 years ago

  • Assignee changed from Boone Gorges to Raymond Hoh

Sounds like Ray is working on this. Thank you :-D

#15 Updated by Raymond Hoh over 3 years ago

  • Status changed from Assigned to Staged for Production Release

I've added a fix for this here - https://github.com/cuny-academic-commons/cac/commit/3f8c96214f82c6f7947a8989ea3ca5425092297a.

When someone clicks on the "Unsubscribe" link from the email footer, a form submission is now required before the actual email unsubscription takes place. This should hopefully take care of the problem.

I'll add a pull request for inclusion to the main Group Email Subscription plugin in a bit.

#16 Updated by Boone Gorges over 3 years ago

  • Status changed from Staged for Production Release to Resolved

Thanks, Ray! This looks good for the Commons. I think we should go further on the fix in the public plugin. I'll continue the conversation on GitHub. https://github.com/boonebgorges/buddypress-group-email-subscription/pull/154

#17 Updated by Raymond Hoh over 3 years ago

  • Related to Bug #11086: Users clicking "unsubscribe" on a forwarded CAC group email can unsubscribe a another user from a group added

Also available in: Atom PDF