Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify any subscription #2047

Closed
jhamilton09 opened this issue Aug 9, 2016 · 5 comments
Closed

Modify any subscription #2047

jhamilton09 opened this issue Aug 9, 2016 · 5 comments
Labels
Bug Bugs with Cachet
Milestone
v2.4

Comments

@jhamilton09
Copy link

jhamilton09 commented Aug 9, 2016
edited
Loading

Before submitting your issue, please make sure that you've checked the checkboxes below.

  • [ X ] I am running the latest release version of Cachet.
  • [ X ] I am running at least PHP 5.5.9. You can check this by running php -v.
  • [ X ] I have ran rm -rf bootstrap/cache/*.

What version of Cachet? 2.3.9
What database driver? MySQL? Postgres? SQLite? MySQL
What version of PHP? 7.0.3

Expected behaviour

Please describe what you're expecting to see happen.
Subscriptions should not be modified by anybody besides the subscriber.

Actual behaviour

Please describe what you're actually seeing happen.
Subscriptions can be modified by anybody that provides the email address. For an organization using Cachet, those email addresses may be predictable.

Steps to reproduce

If your issue requires any specific steps to reproduce, please outline them here.

  1. Visit status page.
  2. Click Subscribe button.
  3. Provide email address of somebody else already subscribed.
  4. You will receive the message 'Awesome. Cannot subscribe [email protected] because they're already subscribed.'.
  5. Check or uncheck the components to subscribe/unsubscribe from.
  6. Click the 'Update Subscription' button at the bottom.

Subscriptions will be updated accordingly.
@jbrooksuk
Copy link
Member

I know it's not great, but a subscriber can click on the link included in the email to manage their subscription.

@jhamilton09
Copy link
Author

jhamilton09 commented Aug 9, 2016
edited
Loading

Right. I think the subscriber should have to follow a link from their email in order to modify the subscriptions. They should not be able to modify the subscription by "re-subscribing" with a previously registered email address on the status page.

You should just receive the 'Cannot subscribe [email protected] because they're already subscribed.' and not the component list. Perhaps kick off an email to that person that prompts them to modify their subscriptions by following a link.

@jbrooksuk
Copy link
Member

Oh, sorry:

Subscriptions can be modified by anybody that provides the email address. For an organization using Cachet, those email addresses may be predictable.

Yes, I agree that this is incorrect behaviour.

@jbrooksuk jbrooksuk added this to the V2.4.0 milestone Aug 9, 2016
@jbrooksuk jbrooksuk added the Bug Bugs with Cachet label Aug 9, 2016
@jbrooksuk
Copy link
Member

Not anymore you can't! :)

@Si-Richards
Copy link

I've got a regression on this bug....

What version of Cachet? 2.3.13
What database driver? MySQL? Postgres? SQLite? MySQL
What version of PHP? 7.1.20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Bugs with Cachet
Projects
None yet
Milestone
v2.4
Development

No branches or pull requests
3 participants
@jbrooksuk @jhamilton09 @Si-Richards