Unsubscribe and Smart Groups
Overview
The issue seems to be with sending a bulk mailing to multiple groups, which includes a smart groups. When a person who isn't in the smart group tries to unsubscribe it takes them to the unsubscribe screen which lists all the smart groups, but they weren't in them. They then end up in a circle of trying to unsubscribe from that smart group even though they aren't in it.
Reproduction steps
Create a mailing and use the unsubscribe token {action.unsubscribeUrl}
Create some mailing groups, create a mailing smart group.
Will call the groups as
- Smart group 1
- Normal group 1
- Normal group 2
- Normal group 3
Contact A receives an email and click on unsubscribe link, which takes him to Civi form which show list of groups and emails address with submit button. On this form Contact A can see three groups
- Smart group 1
- Normal group 1
- Normal group 2
Current behaviour
When clicking on the unsubscribe option using URL in a mailing it takes you to a list of smart group mailings, currently that the mailing was sent that the person unsubscribing wasn't in. Also some of those labels may be labelled detailing sensitive information.
See image attached, this contact isn't in the staff group so cannot remove themselves. Also they can see the description of the smart group.
Expected behaviour
Clicking unsubscribe allows me to 'opt out' of receiving that mailing- ie removes me from the mailing group I am in that the mailing has been sent to. Not show smart groups I should not be in.
Environment information
- Browser: Checked on Edge/Chromium
- CiviCRM: _5.24.4/5.27.0
- PHP: 7.2/__
- CMS: Drupal 7.30
- Database: MySQL
Comments
This could display information that the admins and users of the system wouldn't expect to be shown. IE Staff groups, Smart Group based on BAME etc.!