Unauthorized unsubscribing of anyone

[kleozzy]

Hello,

I am testing the latest build: 3.6.13 and i have noticed that by default you can just fill in the email of any subscriber in the unsubscribe form and unsub them, without them having to confirm or authorize this. I know there is a setting in config_extended.php to force users to provide a password but it forces you to create an account which i think its a bit much for a newsletter. I am also aware about the robots.txt fix for the spiders but in this case i am talking about a malicious actor unsubbing users knowingly.

Is there a way to confirm un-subscription the same way you confirm subscription ? via Email Link ?

[michield]

Well, phpList does send a final "goodbye email" for that purpose, to notify the user that they were unsubscribed. But yes, it can be used to prank people;

[kleozzy]

Isn't there a way to add confirmation email for unsubbing just like we have for subbing ?

Notification email is fine, and sure you can resub but nothing stops the attacker from unsubbing you again and again and again.

[michield]

I just want to make it as easy as possible to unsubscribe. If we like it or not, phpList is often used to send unsolicited emails, so unsubscribing should be a single action, provided the JUMPOFF is set. If there's a second action required, it will make people less happy. I've seen many cases where the "Goodbye email" was marked as spam, which is ironic.

Also, the admin gets informed about this action as well, so for smaller systems, where admins know most of their contacts they can keep an eye on it, and contact the subscriber saying "did you really want to do that? "

[kleozzy]

Could be an option for those who want to enforce it though right? Why force them to ether no action or create account, you can also add the in-between option of email confirmation and let the admin choose.

[michield]

Sure, happy to accept a Pull Request

[michield]

You can possibly also use https://resources.phplist.com/system/config/unsubscribe_requires_password