From 61300dab592537d846c1c05d273841752e4551b5 Mon Sep 17 00:00:00 2001
From: SansPseudoFix <spf@sanspseudofix.fr>
Date: Thu, 1 Dec 2016 15:15:09 +0100
Subject: [PATCH 1/2] CSRF mail

---
 config/locales/diaspora/en.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/config/locales/diaspora/en.yml b/config/locales/diaspora/en.yml
index 62c2ccfff..a38f161ab 100644
--- a/config/locales/diaspora/en.yml
+++ b/config/locales/diaspora/en.yml
@@ -707,12 +707,23 @@ en:
       body: |-
         Hello %{name},
 
-        We received a request with a wrong/missing CSRF token from your account. To prevent any possible damage you have been logged out.
+        diaspora* has detected an attempt to access your session which might be unauthorised. This might be completely innocent, but it could be a cross-site request forgery (CSRF). To avoid any chance of your data being compromised, you have been signed out.
+
+        A request made using a incorrect or missing CSRF token can be caused by:
+
+          - An add-on manipulating the request or making requests without the token;
+          - A tab left open from a past session;
+          - Another website making requests, with or without your permission;
+          - Various other external tools;
+          - Malicious code trying to access your data.
 
         For more information on CSRF see [%{link}](%{link}).
 
-        Sorry,
+        Don’t worry; you can safely sign in again now.
 
+        If you see this message regularly, please check your browsing settings.
+
+        Thank you,
         The diaspora* email robot!
     report_email:
         type:

From 6c37171f9f37edcb79770c1c37c609d692f0d4b4 Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Sun, 4 Dec 2016 18:51:50 +0100
Subject: [PATCH 2/2] Change last sentence and fix specs

closes #7238
---
 Changelog.md                   | 1 +
 config/locales/diaspora/en.yml | 2 +-
 spec/mailers/notifier_spec.rb  | 4 +++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 3bc8ad976..3ee7565b8 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -12,6 +12,7 @@
 * Only require AWS-module for fog [#7201](https://github.com/diaspora/diaspora/pull/7201)
 * Only show community spotlight links on the contacts page if community spotlight is enabled [#7213](https://github.com/diaspora/diaspora/pull/7213)
 * Require spec\_helper in .rspec [#7223](https://github.com/diaspora/diaspora/pull/7223)
+* Make the CSRF mail a bit more friendly [#7238](https://github.com/diaspora/diaspora/pull/7238)
 
 ## Bug fixes
 * Fix fetching comments after fetching likes [#7167](https://github.com/diaspora/diaspora/pull/7167)
diff --git a/config/locales/diaspora/en.yml b/config/locales/diaspora/en.yml
index a38f161ab..77f00f47f 100644
--- a/config/locales/diaspora/en.yml
+++ b/config/locales/diaspora/en.yml
@@ -721,7 +721,7 @@ en:
 
         Don’t worry; you can safely sign in again now.
 
-        If you see this message regularly, please check your browsing settings.
+        If you see this message repeatedly, please check the points above, including any browser add-ons.
 
         Thank you,
         The diaspora* email robot!
diff --git a/spec/mailers/notifier_spec.rb b/spec/mailers/notifier_spec.rb
index 7593bba03..a23b796b8 100644
--- a/spec/mailers/notifier_spec.rb
+++ b/spec/mailers/notifier_spec.rb
@@ -476,7 +476,9 @@ describe Notifier, type: :mailer do
     end
 
     it "has some informative text in the body" do
-      expect(email.body.encoded).to include("https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)")
+      email.body.parts.each do |part|
+        expect(part.decoded).to include("https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)")
+      end
     end
   end