-
-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized unsubscribing of anyone #966
Comments
Well, phpList does send a final "goodbye email" for that purpose, to notify the user that they were unsubscribed. But yes, it can be used to prank people; |
Isn't there a way to add confirmation email for unsubbing just like we have for subbing ? Notification email is fine, and sure you can resub but nothing stops the attacker from unsubbing you again and again and again. |
I just want to make it as easy as possible to unsubscribe. If we like it or not, phpList is often used to send unsolicited emails, so unsubscribing should be a single action, provided the JUMPOFF is set. If there's a second action required, it will make people less happy. I've seen many cases where the "Goodbye email" was marked as spam, which is ironic. Also, the admin gets informed about this action as well, so for smaller systems, where admins know most of their contacts they can keep an eye on it, and contact the subscriber saying "did you really want to do that? " |
Could be an option for those who want to enforce it though right? Why force them to ether no action or create account, you can also add the in-between option of email confirmation and let the admin choose. |
Sure, happy to accept a Pull Request |
You can possibly also use https://resources.phplist.com/system/config/unsubscribe_requires_password |
Hello,
I am testing the latest build: 3.6.13 and i have noticed that by default you can just fill in the email of any subscriber in the unsubscribe form and unsub them, without them having to confirm or authorize this. I know there is a setting in config_extended.php to force users to provide a password but it forces you to create an account which i think its a bit much for a newsletter. I am also aware about the robots.txt fix for the spiders but in this case i am talking about a malicious actor unsubbing users knowingly.
Is there a way to confirm un-subscription the same way you confirm subscription ? via Email Link ?
The text was updated successfully, but these errors were encountered: