Users clicking "unsubscribe" on a forwarded CAC group email can unsubscribe a another user from a group
Periodically over the years, we've seen strange events where I (and a few others) have found themselves mysteriously having their email notifications for a particular group set to "No Email."
I am wondering whether i just figured out part of the problem.
I forward a fair amount of email in my various capacities -- forwarding an email from one Commons group to MA/MS students, for instance, or forwarding an email from our NYCDH group to students.
I sometimes remember to delete some of the footer information (unsubscribe links, etc) from the emails before I forward them, but sometimes I don't.
I just tried an experiment with an email that I erroneously forwarded before deleting the unsubscribe link. I opened the link from my web-based email client (gmail) in a private window. I was brought to an option, even as a non-logged-in user, to unsubscribe from the group in question. I clicked "unsubscribe" and indeed, I was informed that I was now unsubscribed. The problem was that I was not logged into the account that was being unsubscribed from the group.
Please see if you can replicate this. If you can, I think we should put some checks in place to ensure that only people logged in to an account can unsubscribe that account from a particular group.
#1 Updated by Boone Gorges almost 3 years ago
Thanks for the report. You're probably right that this is what's happened in the past.
The "unsubscribe" link in BPGES emails has behaved in this way for a long time - since it was introduced in 2012, according to the git logs. In that time, I don't recall hearing about this issue, on the Commons or elsewhere.
The problem with requiring logins to unsubscribe is that it partly defeats the purpose of having an easy way to stop what might be annoying emails. A user who used to be an active Commons user, and suddenly starts getting notifications about a long-dormant group, arguably should not have to log in to stop the emails; they may have lost their password, they may not have access to the email account, etc. See eg https://arstechnica.com/tech-policy/2012/09/log-in-to-unsubscribe-from-this-e-mail-annoying-possibly-illegal/, or section 5 of https://www.kentico.com/blog/9-things-you-need-to-know-about-anti-spam-law-and-opt-outs. In BuddyPress itself, for comparison, the unsubscribe links in emails (which are different from the ones you're discussing here, but are similar in spirit) are intentionally usable when logged out. https://buddypress.trac.wordpress.org/ticket/7390#comment:19 The argument here would be that email content is understood as private, and users who forward email are responsible for removing non-private content as needed.
I'm copying Ray because he may have thought about this somewhat in his work on the Unsubscribe tools here and in BP.
#2 Updated by Matt Gold almost 3 years ago
Thanks for your cogent thoughts on this, Boone. I wonder whether we could add some kind of very slight confirmation step that could mention the username of the username in question, e.g.:
Yes, please unsubscribe user mkgold from email notifications from this group
Doing so wouldn't prevent malicious behavior, but it might (?) prevent a situation in which someone thought they were unsubscribing themselves, not another person.
I kind of think this is relatively low priority, but today I received another email, sent to a department listserv, that had been forwarded from the Commons, so I think it is going to be increasingly common as the CAC is used by programs
#5 Updated by Raymond Hoh almost 3 years ago
We changed the Unsubscribe feature from auto-unsubscribing when clicking on the Unsubscribe link to require a manual form submission in #10144.
This is what the Unsubscribe feature looks like currently when you click on the Unsubscribe link:
So Matt's request to add the username to the form submission prompt should be relatively quite simple.
Do we want to change the text from:
Do you really want to unsubscribe from all notifications for the group, GROUPNAME?
USERNAME, do you really want to unsubscribe from all notifications for the group, GROUPNAME?
#8 Updated by Raymond Hoh almost 3 years ago
- Status changed from Assigned to Resolved
I've added the username to the form when unsubscribing from a group's email notifications in https://github.com/cuny-academic-commons/cac/commit/15837e6e29866d7457b47ab459f20fbd6d61ca71
Going to mark this as resolved as this shouldn't require any user testing.