FEATURE: per-topic unsubscribe option in emails

[ShashankFC]

User description

Test 2

Summary by CodeRabbit

Release Notes

• New Features
  • Users can now unsubscribe from topic notifications through a dedicated management page, allowing them to stop receiving notification alerts for specific topics.
  • Notification emails now include direct unsubscribe links, providing quick access to manage notification preferences.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

---

Replicated from ai-code-review-evaluation/discourse-coderabbit#2

---

CodeAnt-AI Description

FEATURE: per-topic unsubscribe option in emails

What Changed

• Notification emails now include a direct "unsubscribe from this topic" link and List-Unsubscribe header so recipients can stop notifications for that specific topic from the email.
• Visiting a topic's unsubscribe page lets logged-in users toggle that topic's notification state between regular and muted; the site then shows the topic page with the updated state.
• New client-side route, view and small UI for the topic unsubscribe page, plus wording that confirms the topic stopped sending notifications.
• Topic URLs now expose a /unsubscribe path, and email templates display both respond instructions and the specific topic unsubscribe link.

Impact

✅ Clearer unsubscribe links in notification emails
✅ Fewer unwanted notifications for specific topics
✅ Easier per-topic notification management from email and topic page

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[ShashankFC]

@CodeAnt-AI: review

[codeant-ai]

CodeAnt AI is running the review.

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Possible Bug The new unsubscribe action looks up TopicUser with find_by and then immediately reads/sets tu.notification_level. If no TopicUser row exists for the user+topic, tu will be nil and accessing tu.notification_level will raise. The action should handle missing records (create or delegate to TopicUser.change) to avoid runtime exceptions. XSS Risk The template renders stopNotificiationsText using triple-stash ({{{...}}}), which outputs unescaped HTML. The translation includes an interpolated title from model.fancyTitle — if that value can contain user-provided content, this opens a risk of XSS. Prefer escaped output or explicit, audited htmlSafe wrapping of only trusted content. Possible Null Deref The code assumes postStream.closestPostForPostNumber(...) returns a post object and immediately calls .get('post_number') and passes it into other methods. The code comment already notes errors when the closest post is null; this should be guarded to avoid runtime exceptions and allow graceful fallback. Route ambiguity New topic-level routes (unsubscribe, summary, moderator-liked) were added close to existing topic routes. Their ordering and overlapping parameter patterns (slug vs topic_id) can cause ambiguous matches or make some routes unreachable depending on incoming paths. Verify route precedence and constraints to avoid unintended matches. Template args merge The initializer merges the entire @opts into @template_args via merge!(@opts), which allows arbitrary entries from @opts to become template variables used in translations and HTML generation. Ensure only expected keys are allowed or explicitly whitelist keys to avoid unexpected template substitutions or content injection.

[codeant-ai]

Suggestion: The template uses triple-stash ({{{ }}}) when rendering stopNotificiationsText, which disables HTML escaping; because this text is built from a translation with an interpolated topic title (user-controlled content), any HTML in the title would be rendered unescaped and could lead to XSS. Use normal Handlebars interpolation here so the output is properly escaped while still showing the expected text. [security]

Severity Level: Critical 🚨

- ❌ XSS on topic unsubscribe page executes in user session.
- ⚠️ Notification email unsubscribe links expose users to script injection.
- ⚠️ Compromises security of route /t/:slug/:id/unsubscribe.

Suggested change

	{{{stopNotificiationsText}}}
	{{stopNotificiationsText}}

Steps of Reproduction ✅

1. A topic is created in the normal UI (reachable via the `new-topic` route at
`app/assets/javascripts/discourse/routes/app-route-map.js.es6:96`, path `/new-topic`) and
stored with a title that, after processing on the server, is exposed on the client as
`model.fancyTitle` (used in multiple topic-related controllers such as
`app/assets/javascripts/discourse/controllers/topic-unsubscribe.js.es6:5-7`).

2. A per-topic unsubscribe email is sent that links to the unsubscribe route `GET
/t/:slug/:id/unsubscribe`, which is wired in
`app/assets/javascripts/discourse/routes/app-route-map.js.es6:13` as
`this.route('topicUnsubscribe', { path: '/t/:slug/:id/unsubscribe' });`.

3. When the recipient clicks the unsubscribe link, the Ember route `topicUnsubscribe` is
entered and its controller
`app/assets/javascripts/discourse/controllers/topic-unsubscribe.js.es6` computes
`stopNotificiationsText` by calling `I18n.t("topic.unsubscribe.stop_notifications", {
title: this.get("model.fancyTitle") });` (line 5-7), interpolating the topic's
`fancyTitle` (user-sourced content) into the translation string.

4. The template `app/assets/javascripts/discourse/templates/topic/unsubscribe.hbs:1-8`
renders the page and outputs `stopNotificiationsText` using triple-stash
`{{{stopNotificiationsText}}}` on line 3, which disables HTML escaping; any HTML contained
in the interpolated `model.fancyTitle` or translation will be injected directly into the
DOM on the unsubscribe page, providing a realistic XSS vector tied to this route.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** app/assets/javascripts/discourse/templates/topic/unsubscribe.hbs
**Line:** 3:3
**Comment:**
	*Security: The template uses triple-stash (`{{{` `}}}`) when rendering `stopNotificiationsText`, which disables HTML escaping; because this text is built from a translation with an interpolated topic title (user-controlled content), any HTML in the title would be rendered unescaped and could lead to XSS. Use normal Handlebars interpolation here so the output is properly escaped while still showing the expected text.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Suggestion: When a logged-in user hits the unsubscribe URL for a topic they have no existing TopicUser record for, find_by will return nil and the subsequent access to tu.notification_level will raise a NoMethodError; initializing a record or defaulting the level avoids this nil dereference. [null pointer]

Severity Level: Major ⚠️

- ❌ Topic unsubscribe URL 500s when TopicUser row missing.
- ⚠️ Affected users cannot change that topic's notification level.
- ⚠️ Email per-topic unsubscribe link is unreliable for some topics.

Suggested change

	tu = TopicUser.find_by(user_id: current_user.id, topic_id: params[:topic_id])
	if tu.notification_level > TopicUser.notification_levels[:regular]
	tu = TopicUser.find_or_initialize_by(user_id: current_user.id, topic_id: params[:topic_id])
	current_level = tu.notification_level || TopicUser.notification_levels[:regular]
	if current_level > TopicUser.notification_levels[:regular]

Steps of Reproduction ✅

1. A notification email is sent which includes a per-topic unsubscribe link built from
`Topic#unsubscribe_url` at `app/models/topic.rb:20-22`, e.g. `/t/:slug/:id/unsubscribe`,
and referenced from the mailer at `app/mailers/user_notifications.rb:295` (via
`post.topic.unsubscribe_url` per Grep).

2. The user clicks that link, which routes to `TopicsController#unsubscribe` via the
routes defined in `config/routes.rb:440-441` (`get "t/:slug/:topic_id/unsubscribe" =>
"topics#unsubscribe"` and `get "t/:topic_id/unsubscribe" => "topics#unsubscribe"`).

3. After passing `ensure_logged_in` (configured in `TopicsController` at
`app/controllers/topics_controller.rb:8-28`), the request executes
`TopicsController#unsubscribe` at `app/controllers/topics_controller.rb:98-116`, where `tu
= TopicUser.find_by(user_id: current_user.id, topic_id: params[:topic_id])` (line 105) is
called.

4. For any topic/user pair where no `topic_users` row exists (which is allowed and
expected, as shown by `TopicUser.get` returning `find_by` in
`app/models/topic_user.rb:68-72` and `TopicUser.change` explicitly handling the no-row
case at `app/models/topic_user.rb:74-107`), `tu` is `nil`, so `tu.notification_level` at
`app/controllers/topics_controller.rb:107` raises `NoMethodError: undefined method
'notification_level' for nil:NilClass`, returning HTTP 500 instead of the unsubscribe
view.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** app/controllers/topics_controller.rb
**Line:** 105:107
**Comment:**
	*Null Pointer: When a logged-in user hits the unsubscribe URL for a topic they have no existing `TopicUser` record for, `find_by` will return `nil` and the subsequent access to `tu.notification_level` will raise a `NoMethodError`; initializing a record or defaulting the level avoids this nil dereference.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

CodeAnt AI finished running the review.