unsubscribe link from email not working

[pdcoutinho]

Users are sent an email if their subscribed topics are replied.

In said email, there is a link to unsubscribe. That link issues a GET request, but routes show a POST, and the website breaks.

http://example.com/forums/some-forum/topics/some-topic/unsubscribe

forem (1.0.0.beta1)
Rails 4.2.0

no route matches get unsubscribe bla bla bla bla ^^

[radar]

Hi @pdcoutinho. Thanks for submitting this issue. Could you please submit a patch to fix it? That would be great. Changing the route to be a GET route should fix it.

[Nateowami]

@radar This was to protect from a CSRF attack. See #522. Perhaps the authenticity_token can be added as a parameter in the URL.

[radar]

Rather than an authenticity token, could we instead have a unique hash on the topic + subscription that is generated + then is passed through in this request? The route will change to a GET request, and the token will make it so that nobody would be able to CSRF-attack a way for people to unsubscribe.

I'm thinking something such as SecureRandom.hex(24) should be fine for this.

[radar]

Patches welcome to fix this :) I do not have time myself.

[radar]

Turns out I do have time to fix this.

Please review #669 and let me know if it's suitable for you.