As part of the MOSS grant outlined here, I’ve been asked to write up a spec for unsubscribing from a topic via email.
Current behaviour: Unsubscribe via email is allowed, but requires a logged in user
Proposed behaviour:
Unsubscribing while logged in as any user will remain the same.
When logged out,
Clicking this:
Will take the user to a screen like this:
This would mean if the email was forwarded, anyone could unsubscribe anyone from a topic. How will identity be verified?
The only way this could work is if the functionality expired after N hours.
It gets very tricky though cause there is a very big difference between watching a topic and a category.
… or if you’re not logged in and change your notification settings by clicking a link in an email, you get a follow-up email letting you know what happened. It would contain a link to click on to cancel it in the event that it was done by someone else or in error.
I like @tobiaseigen 's suggestion there… I’m running into a similar snafu around subscribing to a topic while logged out (the google groups style ‘email me updates’ feature); which could perhaps be solved in a similar way, ie
Of course they could always forward that confirmation email as well, but seems like a more secure path than allowing someone to change email settings directly from a thread email.
So far I can think of 2 (viable) types of safeguards against this:
@tobiaseigen’s solution of sending a follow-up email. In addition to what he already described, the follow-up email should only be send if the unsubscription happened when a user was not logged in. I hope there’s a way to differentiate between the two.
I think we’re talking about an edge case scenario here, so I strongly prefer the above solution. I’ll provide an optional one for good measure though.
If you’re not logged in when trying to unsubscribe, you will land on a Discourse page that says something like:
"You're not logged in. If you want to unsubscribe from {topic} / {category}, either [log in]() to change your notifications or <a href="mailto:unsubscribe@{forumdomain}?Subject=Unsubscribe me from {topic} / {category}" target="_top">click here to unsubscribe by e-mail</a>
Many mailing lists let users unsubscribe this way, although usually it’s as simple as unsubscribing from the entire mailing list and that’s that, as opposed to the more granular topics & categories.
Thought I’d give this a gentle push; any additional thoughts on which direction this should go?
Jeff summarised his concerns on chat:
we have to send a followup email to confirm the action
which also kinda means, someone who gets your email and decides to “unsubscribe” over and over, could spam the crap out of you
it’s an attack vector at that point… get the unsubscribe link, and follow it over and over (or maybe some automated “let me check these links” service retrieves them on your behalf)
for safety they’d have to visit the page and physically click on a button for the email to send
we’d need precautions for manual griefing though
e.g. a user that loads the page and clicks the button a ton… so some kind of timeout where you can only do it once per hour at least
Provided we can address these concerns, the feature is good.
I feel like supporting “unsubscribe” via email is the first thing to build, this is something all mailing lists do … this is how I would build it:
Support the magic, “unsubscribe” in title sent to a bare “reply by email address”. (ideally rate limited) Our email here is: reply+%{reply_key}@discourse.org … so emailing reply@discourse.org with the text “unsubscribe” will initiate unsubscribe sequence. We need to send a confirmation (at least optionally and default on) to protect against trivial email spoofing.
Also trigger the unsubscribe sequence if anyone replies to any email with the text “unsubscribe”
Have 1) and 2) default on, but can be disabled via a site setting
Via a site setting allow “mailing list peoples” to add a a href to a mailto link for unsubscribe via email to all emails. Eg: <a href="mailto:reply@discourse.org?subject=unsubscribe>unsubscribe from these emails</a>
This way none of this interferes or complicates existing stuff, it simply enriches the experience.
This is the same flow as unsubscribe via web would have anyway so the key here is building the “unsubscribe sequence” email.
The unsubscribe via web then simply becomes something akin to “forgot password” sequence where you enter an email and it triggers the unsubscribe sequence.
I would only deal with a global unsubscribe from absolutely everything case here. Not with granular changes.
I put a PR in for this here; needs a little back and forth still likely, but most of the way there:
I think this is the correct topic for this. I just noticed there is an unsubscribe by email option on the footer.
That second one defaults to a link like this for my site:
reply@community.namati.org
I don’t have that email address configured on my mail system. In fact I don’t have email on community.namati.org at all. Is there an admin setting (which I looked for and did not find) for setting up a working email address?
I honestly wonder if we really need unsubscribe via email like this on every footer in light of my changes, it is just extra clutter. Will remove
