chg: [internal] Unsubscribe code

app/Controller/UsersController.php

@@ -118,14 +118,20 @@ class UsersController extends AppController
         return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'Something went wrong, please try again later.')), 'status'=>200, 'type' => 'json'));
     }
 
-    public function unsubscribe()
+    public function unsubscribe($code)
     {
         $user = $this->Auth->user();
+
+        if (!hash_equals($this->User->unsubscribeCode($user), rtrim($code, '.'))) {
+            $this->Flash->error(__('Invalid unsubscribe code.'));
+            $this->redirect(['action' => 'view', 'me']);
+        }
+
         if ($user['autoalert']) {
             $this->User->updateField($this->Auth->user(), 'autoalert', false);
-            $this->Flash->info('Already unsubscribed from event alert.');
+            $this->Flash->success(__('Successfully unsubscribed from event alert.'));
         } else {
-            $this->Flash->info('Successfully unsubscribed from event alert.');
+            $this->Flash->info(__('Already unsubscribed from event alert.'));
         }
         $this->redirect(['action' => 'view', 'me']);
     }

app/Model/Event.php

@@ -3159,8 +3159,10 @@ class Event extends AppModel
         $template->set('tlp', $subjMarkingString);
         $template->subject($subject);
         $template->referenceId("event-alert|{$event['Event']['id']}");
-        $template->set('unsubscribe', $this->__getAnnounceBaseurl() . '/users/unsubscribe');
-        $template->listUnsubscribe($this->__getAnnounceBaseurl() . '/users/unsubscribe');
+
+        $unsubscribeLink = $this->__getAnnounceBaseurl() . '/users/unsubscribe/' . $this->User->unsubscribeCode($user);
+        $template->set('unsubscribe', $unsubscribeLink);
+        $template->listUnsubscribe($unsubscribeLink);
         return $template;
     }
 

app/Model/User.php

@@ -1581,4 +1581,14 @@ class User extends AppModel
             'conditions' => array('EventDelegation.org_id' => $user['org_id'])
         ));
     }
+
+    /**
+     * Generate code that is used in event alert unsubscribe link.
+     * @return string
+     */
+    public function unsubscribeCode(array $user)
+    {
+        $salt = Configure::read('Security.salt');
+        return substr(hash('sha256', "{$user['id']}|$salt"), 0, 8);
+    }
 }

app/View/Emails/text/alert.ctp

@@ -10,7 +10,7 @@ if (!isset($contactAlert)) {
 if ($hideDetails) { // Used when GnuPG.bodyonlyencrypted is enabled and e-mail cannot be send in encrypted form
     $eventUrl = $baseurl . "/events/view/" . $event['Event']['id'];
     echo __("A new or modified event was just published on %s", $eventUrl) . PHP_EOL . PHP_EOL;
-    echo __("If you would like to unsubscribe from receiving such alert e-mails, simply\ndisable publish alerts via %s", $baseurl . '/users/edit');
+    echo __("If you would like to unsubscribe from receiving such alert e-mails, simply\ndisable publish alerts via %s", $unsubscribe);
     return;
 }
 
@@ -112,5 +112,5 @@ You receive this e-mail because the e-mail address <?= $user['email'] ?> is set
 to receive <?= $contactAlert ? 'contact' : 'publish' ?> alerts on the MISP instance at <?= $baseurl ?>.
 
 If you would like to unsubscribe from receiving such alert e-mails, simply
-disable <?= $contactAlert ? 'contact' : 'publish' ?> alerts via <?= $baseurl ?>/users/edit
+disable <?= $contactAlert ? 'contact' : 'publish' ?> alerts via <?= $unsubscribe ?>.
 ==============================================