Subscribe 3

Ticket #629 (open bug)

Use user's HTTPS option in notification email

  • Created: 2012-02-21 09:40:51
  • Reported by: daris
  • Assigned to: daris
  • Milestone: 2.3
  • Component: events/notifications
  • Priority: normal

I've disabled the HTTPS option in my site profile, however the mail notifications still shows a https:// url.

Can't we add a query for fetching user's https option before sending email notification?

History

daris 2012-02-21 09:41:01

  • Component set to events/notifications.

Franz 2012-02-21 10:08:43

It might be based on the settings of the user causing the notification.
Hmm, or just go for generic http in those mails - any new link will lead them back to HTTPS anyway if the have enabled it.

daris 2012-02-21 10:47:12

We already have a query for fetching user id of each recipient (Event::fetchSubscribers), why can't we add a left join on options table?

Comment edited 1 times (Diff)

Franz 2012-02-21 11:17:38

We can.

daris 2012-02-21 11:27:38

  • Owner set to daris.

I've just figured out that it automatically redirects you to the https:// page when your https option is enabled and you click the http:// link.

So the best solution for this ticket is to use http:// link in email notifications

Franz 2012-02-21 11:30:53

Ah, I did that? Cool.
I thought I had people click on links to switch to HTTPS. Well, anyway, it's good this way, I guess. smile

daris 2012-02-21 12:28:09

The mail notifications should now include http:// links only, however let's keep this ticket open until we figure out it really works smile

daris 2012-02-23 08:19:48

The same should be applied to the forums also, but I don't know how to do this without touching fluxbb files (I'm not sure about subtree merge etc.)

Reines 2012-02-23 09:13:12

Doesn't that partially defeat the purpose of using https?

If you always link to http, then the user will make a http request first, exposing their request, cookie, etc - and then be redirected to the secure site after the harm has already been done.

I realise that in reality no-one is likely to care, but in theory it is totally wrong.

daris 2012-02-23 09:17:48

You're right, I didn't think that way. So only possible solution in that case is to fetch https option for each recipient and send email basing on that?

daris 2012-02-23 09:19:57

Or there might be another solution for this - redirect to http:// when user goes to https:// and have its https option disabled smile

daris 2012-02-23 09:58:38

Reines wrote:

Doesn't that partially defeat the purpose of using https?

Reines, it does that now, even without my modifcations. It's because the mail does not use user https option, but the one that triggers notification. I'm not good at English, so maybe I explain this as an example:

You (Reines) have https option enabled.
I (daris) have https option disabled.

You add a comment for ticket, the notification uses YOUR https option (so all links are https://) and you receive https:// links in mail notification (good) and I receive https:// too (wrong)

When I add a comment for ticket, the notification uses MY https option (all links are http://) and you receive http:// links (WRONG, you should get https, it's security issue in that case, as you wrote earlier) and I receive http:// (good)

Reines 2012-02-23 10:12:54

Yeah I agree - I was just pointing out that forcing the link to always be http:// wasn't a valid solution either.

Franz 2012-02-23 10:44:34

Just make all links HTTPS, that should be fine. It doesn't really matter whether people get redirected from https to http or not.

Reines 2012-02-23 10:59:23

Depends how easy the proper fix it - some people might choose not to use HTTPS if for some reason they don't have the normal certificates installed in which case they would get a security alert on every page load.

If it can be fixed properly without too much hassle then it should. If not, then chances are directing to HTTPS wont cause problems in reality.

Franz 2012-02-23 11:18:08

Ah, good point.

Dariusz seems to have fixed it, so this should be fine.