Hi
i have drupal 5, simplenews 5.x-1.5 version ,
cache enabled for 5 mins

when the user clicks on the remove link (send in the mail) he is redirect to a url that asks him to confirm the remove (/newsletter/confirm/remove/NNNN)
when the user confirm and click remove button , he is redirected to the home page and the message is displayed "email@email.com has been removed..."

i guess because this page is displayed as anonymous drupal caches this page so when another user request the frontpage he gets a cached version with the msg revealing the other user email

Comments

avior’s picture

avior commented

Hi
am i the only one that see this ?
if so , a lead to help me solve this problem will be welcomed

Avior

mmalkosh’s picture

mmalkosh commented

I have also encountered this problem recently, and consider it very serious. An anonymous user brings up our site and immediately sees, on our home page, someone's email address. This could lead to law suites. I don't understand why this message is put onto the home page.

sutharsan’s picture

sutharsan commented
Status: Active » Closed (won't fix)

This is not a simplenews issue but caused by a core bug. A solution seems to be available for 7. x.

avior’s picture

avior commented

Hi
@Sutharsan , thanks - can you give me a lead , so i will try to patch this in the current versions (5) ,
this is very critical for my client

sutharsan’s picture

sutharsan commented

I have not found the patch in that went into Drupal 7, but I found this comment on the same problem: http://drupal.org/node/7465#comment-11293
The problem seems to be caused by the combination of a message and a redirect. This opens up another possible solution:

<?php
function simplenews_confirm_add_form_submit($form_id, $form_values) {
  simplenews_subscribe_user($form_values['mail'], $form_values['newsletter']->tid, FALSE);
  //drupal_set_message(t('%user was successfully added to the %newsletter subscription list.', array('%user' => $form_values['mail'], '%newsletter' => $form_values['newsletter']->name)));
  return 'node/26';
}
?>

Comment out the drupal_set_message() and redirect to a page (node/26 in this example) containing a thank you message. Do the same with the simplenews_confirm_removal_form_submit() function.

sutharsan’s picture

sutharsan commented

#168909: Drupal messages (status/error) are cached along with nodes
#201122: Drupal should support disabling anonymous sessions
#284271: Tests for drupal_set_messages are cached for anonymous users
Perhaps these issues will help you find how this is solved in D7.

avior’s picture

avior commented

Hi
Thank you very much for the information

i dont understand why this is happening because i can see in api http://api.drupal.org/api/function/page_get_cache/6

Note: we do not serve cached pages when status messages are waiting (from a redirected form submission which was completed).

so all this was not supposes to happen at all

but what if instead of redirecting the user to the hompage ,after setting the msg , redirect the user to a special and unique url

so make a unique url
example.com/newsletter/notify-remove/UID
example.com/newsletter/notify-add/UID

this will solve the issue

Avior