Mautic Community Forums

Email preview access

Your software
My Mautic version is: 4.0.1
My PHP version is: 7.4
My Database type and version is: 10.5.12-MariaDB-1:10.5.12+maria~buster

Your problem
We are testing Mautic in order to send automatic reminders to users about the services they’re subscribed to.

These emails are sent regularly to the user until either:

  • the user clicks the “cancel this reminder” link
  • the specific campaign expires

Now, I noticed that the Email Preview page is freely accessible to everyone (no login is needed) at this address:
https://mautic_server_URL/email/preview/ID

while the {webview_text}‍ link contained in the email is reacheable at this address:
https://mautic_server_URL/email/view/NONCE

The ID is a simple counter starting from 1, so easily guessable, while the NONCE is an hex string unique for each user. This leaves an easy access to all the reminder emails to everyone on the net.

As the reminder email can possibly contain sensible information, I was wondering if it is possible to limit the access to the Preview page, for example to logged-in users only.

Thanks!

BTTT - Just a single back-to-the-top after 14 days :slight_smile:

I think that leaving an open access to the preview of all the email pages is not a good thing.

Is it possible to change the ID in the Email Preview page http address with a random OID?