Newsletter Unsubscribe link doesn't work properly if the user is already logged into another account

Bugs
1

Issue Summary

In some cases a user may end up with two accounts within a Ghost instance.

In this scenario it is possible for the user to attempt to unsubscribe from a newsletter while already logged into another account in their browser. It appears to the user that the unsubscribe is successful when it actually doesn’t achieve anything.

Here’s the full scenario:

  1. User is logged into account 1.
  2. User receives a newsletter to account 2.
  3. User clicks unsubscribe option in the newsletter
  4. Unsubscribe link opens in browser and it appears like the user has been logged into account 2 given account 2’s preferences are displayed. An “email preferences updated” message is displayed.
  5. User closes email preferences and they are actually still logged into account 1
  6. Also the unsubscribe never actually happens - they remain subscribed

Steps to Reproduce

  1. Create a newsletter, subscribe user 2 to the newsletter and send a newsletter to the user
  2. Establish a logged-in session for user 1 in a browser
  3. Copy the *Unsubscribe *link from the newsletter into the same browser

Observe:

  • User 2’s account preferences are displayed even though the established session is for User 1
  • User 2 sees a “Email preferences updated” message
  • Checking the admin section, User 2’s subscriptions have not changed
  • Closing the account settings and continuing to browse the site demonstrates the User 1’s session is still active

While this is a pretty unlikely scenario with no real security implications there are some issues worth addressing:

  1. The user is shown the user preferences for account 2 even though they’re logged in under account 1
  2. The user is shown an “email preferences updated” message even though no preferences have changed.

Setup information

Ghost Version
5.118.1

Node.js Version
20.11.1

How did you install Ghost?
DigitalOcean Ghost Droplet (from DigitalOcean Marketplace) - https://marketplace.digitalocean.com/apps/ghost

Provide details of your host & operating system
DigitalOcean Droplet, Ubuntu 22.04.4, 8 GB Memory / 80 GB Disk

Database type
MySQL 8.0.43

Browser & OS version
Testing was completed on Mac OS X 15.2 using Chrome Version 139.0.7258.139 (Official Build) (arm64)

Relevant log / error output
N/A

2

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.