Unsubscribe links serve a form, and require HTTP POST to actually unsubscribe

2019-12-10 09:14:54 +02:00 · 2019-12-10 09:14:54 +02:00 · 8d81d27af3
commit 8d81d27af3
parent 4ee92a44ff
7 changed files with 14 additions and 20 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file.
 ### Bug Fixes
 - Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection
 - Fix List-Unsubscribe email header value: add angle brackets
+- Unsubscribe links serve a form, and require HTTP POST to actually unsubscribe


 ## v1.11.0 - 2019-11-22
--- a/hc/accounts/tests/test_unsubscribe_reports.py
+++ b/hc/accounts/tests/test_unsubscribe_reports.py
@ -15,7 +15,7 @@ class UnsubscribeReportsTestCase(BaseTestCase):
        sig = signing.TimestampSigner(salt="reports").sign("alice")
        url = "/accounts/unsubscribe_reports/%s/" % sig

-        r = self.client.get(url)
+        r = self.client.post(url)
        self.assertContains(r, "Unsubscribed")

        self.profile.refresh_from_db()
@ -30,16 +30,9 @@ class UnsubscribeReportsTestCase(BaseTestCase):
        r = self.client.get(url)
        self.assertContains(r, "Incorrect Link")

-    def test_post_works(self):
+    def test_it_serves_confirmation_form(self):
        sig = signing.TimestampSigner(salt="reports").sign("alice")
        url = "/accounts/unsubscribe_reports/%s/" % sig

-        r = self.client.post(url)
-        self.assertContains(r, "Unsubscribed")
-
-    def test_it_serves_confirmation_form(self):
-        sig = signing.TimestampSigner(salt="reports").sign("alice")
-        url = "/accounts/unsubscribe_reports/%s/?ask=1" % sig
-
        r = self.client.get(url)
        self.assertContains(r, "Please press the button below")
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -442,7 +442,7 @@ def unsubscribe_reports(request, username):

    # Some email servers open links in emails to check for malicious content.
    # To work around this, we serve a form that auto-submits with JS.
-    if "ask" in request.GET and request.method != "POST":
+    if request.method != "POST":
        return render(request, "accounts/unsubscribe_submit.html")

    user = User.objects.get(username=username)
--- a/hc/api/tests/test_bounce.py
+++ b/hc/api/tests/test_bounce.py
@ -49,3 +49,8 @@ class BounceTestCase(BaseTestCase):
        url = "/api/v1/notifications/%s/bounce" % fake_code
        r = self.client.post(url, "", content_type="text/plain")
        self.assertEqual(r.status_code, 404)
+
+    def test_it_requires_post(self):
+        url = "/api/v1/notifications/%s/bounce" % self.n.code
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 405)
--- a/hc/api/views.py
+++ b/hc/api/views.py
@ -14,6 +14,7 @@ from django.shortcuts import get_object_or_404
 from django.utils import timezone
 from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.http import require_POST

 from hc.api import schemas
 from hc.api.decorators import authorize, authorize_read, cors, validate_json
@ -256,6 +257,7 @@ def badge(request, badge_key, signature, tag, fmt="svg"):


@csrf_exempt
+@require_POST
 def bounce(request, code):
    notification = get_object_or_404(Notification, code=code)

--- a/hc/front/tests/test_unsubscribe_email.py
+++ b/hc/front/tests/test_unsubscribe_email.py
@ -13,7 +13,7 @@ class UnsubscribeEmailTestCase(BaseTestCase):
        token = self.channel.make_token()
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)

-        r = self.client.get(url)
+        r = self.client.post(url)
        self.assertContains(r, "has been unsubscribed", status_code=200)

        q = Channel.objects.filter(code=self.channel.code)
@ -35,16 +35,9 @@ class UnsubscribeEmailTestCase(BaseTestCase):
        r = self.client.get(url)
        self.assertEqual(r.status_code, 400)

-    def test_post_works(self):
+    def test_it_serves_confirmation_form(self):
        token = self.channel.make_token()
        url = "/integrations/%s/unsub/%s/" % (self.channel.code, token)

-        r = self.client.post(url)
-        self.assertContains(r, "has been unsubscribed", status_code=200)
-
-    def test_it_serves_confirmation_form(self):
-        token = self.channel.make_token()
-        url = "/integrations/%s/unsub/%s/?ask=1" % (self.channel.code, token)
-
        r = self.client.get(url)
        self.assertContains(r, "Please press the button below")
--- a/hc/front/views.py
+++ b/hc/front/views.py
@ -712,7 +712,7 @@ def unsubscribe_email(request, code, token):

    # Some email servers open links in emails to check for malicious content.
    # To work around this, we serve a form that auto-submits with JS.
-    if "ask" in request.GET and request.method != "POST":
+    if request.method != "POST":
        return render(request, "accounts/unsubscribe_submit.html")

    channel.delete()