Developer forum

Forum » Development » back in stock notifications email bug?

back in stock notifications email bug?

E-mail notifications
Brian Bolks
Reply
Posted on 02/09/2021 11:24:34

Hi we configured the backinstock notifications for a customer following: https://doc.dynamicweb.com/documentation-9/marketing/other/back-in-stock-notifications

In our template we use:

{{EmailMarketing:Email.ContentLink.Clean}}

So the customer can check the email also on the website. I couldnt get the products to load in the template following that link. I did some digging in the the code and it seems the ViewContext doesnt get set when visiting that link. I guess this is a bug? or i didnt configure it correctly?

Any how for now i fixed it by setting the ViewContext using a NotificationSubcriber on OnBeforeRenderParagraphs with the following code to make it work:

          /**
             * BUG IN DW?
             * Below is to check if recipientId and RecipientSecret in current request so we can set the needed Context which is needed to render the email content.
             * This situation occurse when people use the show in browser link in the send email.
             */
            var recipientId = Context.Current.Request.GetInt32("RecipientId");
            var recipientSecret = Context.Current.Request["RecipientSecret"];
            if (recipientId == 0 || string.IsNullOrWhiteSpace(recipientSecret) || beforeRenderArgs.PageView.Context != null)
            {
                return;
            }

            var recipient = Recipient.GetRecipientById(recipientId);
            if (recipient == null || recipient.Secret != recipientSecret) return;

            var marketingEmail = Dynamicweb.EmailMarketing.Email.GetEmailByMessageId(recipient.MessageId);
            if (!(marketingEmail?.RecipientProvider is BackInStockRecipientProvider provider)) return;

            var viewContext = provider.GetRecipientContentContext(recipient);

            beforeRenderArgs.PageView.Context = viewContext;

 


Replies

 
Nicolai Pedersen
Posted on 02/09/2021 16:22:20
Reply

Hi Brian

Thank you for the good description. I think your configuration is correct.

The ViewContext in this case is based on a user set by the sending of an email that "impersonates" the user - when you link to the page that impersonation does not occur because that is a email feature (all of viewcontext is). Loading users by URL in an anonymous context is gennerally considered a security issue which is why we are very careful about that.

The {{EmailMarketing:Email.ContentLink.Clean}} is originally for use with regular newsletters - of course also available in this context, but has the side affect you have unocvered.

So bug or not - we will discuss the possible side affects of loading the user into the context like this. Can you pass in any recipient id and get access to information that should be behind login?

If we find it safe, we will incorporate your solution. Well done by the way.

Thanks, Nicolai

 
Nicolai Pedersen
Posted on 03/09/2021 09:18:52
Reply
This post has been marked as an answer

Hi Brian

We will fix this - we have discussed and agrees that this is not a security issue.

Thanks, Nicolai

Votes for this answer: 1
 
Oleg Rodionov Dynamicweb Employee
Oleg Rodionov
Posted on 06/09/2021 01:34:52
Reply

Hi,

DevOps bug 4609 has been created to fix the issue. Thanks for observing.

BR, Oleg QA

 
Oleg Rodionov Dynamicweb Employee
Oleg Rodionov
Posted on 07/09/2021 01:20:54
Reply

Hi,

the bug has been fixed. It will be provided in DW9.10.15. Actually, the fix is in Dynamicweb.EmailMarketing 3.1.0 package, so it can be downloaded from nuget, appropriate dll can be unzipped and used in your admin. 

BR, Oleg QA   

 

You must be logged in to post in the forum