Affects Version/s: 2.1
Fix Version/s: 2.1
We are using SVN r17296 of branches/v2.1.
1. CiviCRM does not identify tokens embedded in URLs unless "Track Clickthroughs" is enabled, so "Track Clickthroughs" is required for use of checksums.
2. Enabling "Track Clickthroughs" on a checksum URL is a security issue, in that it's easy to find other contact's checksum URLs by altering the qid value in the received URL.
While tokens embedded in URLs are not replaced in CiviMails unless "Track Clickthroughs" is enabled, they are correctly handled when the same template is used to send an email directly to a contact via "Send an email" from the contact page.
CiviMail is consistent in this behaviour both when sending test emails and when sending the mail live.
We've observed similar behaviour in 2.0.