rohmann | 2017-06-12 22:08:40 UTC | #1 I really need a way for users to add sensitive data to a post without using private messages. I have this in a plugin: ```ruby require_dependency "plugin/filter" Plugin::Filter.register(:after_post_cook) do |post, cooked| index=0 cooked.gsub(/\[secret\].*?\[\/secret\]/) { |a| index+=1; "
#{I18n.t('secret_replies.cooked_message')}
" } end ``` Effectively, it takes this content: ``` Anyone can see this. [secret]but not this[/secret] [secret]and DEFINITELY not this[/secret] ``` and cooks down to: ```html

Anyone can see this.

This content has been marked as secret. It is visible to staff and the original poster.
This content has been marked as secret. It is visible to staff and the original poster.
``` Assuming this is safe to do, the rest of the plugin can be built around this concept. For example, there can be a protected endpoint for retrieving the raw content, and client modifications to add it back to the cooked content. I do understand that if a user is given the ability to edit a post they will get raw content. I'm ok with this since those users are already staff, or are otherwise trustworthy with these secrets. Main question: Is there any unguarded context where Discourse outputs raw post content instead of cooked content? Any other security concerns? Thanks! ------------------------- pfaffman | 2017-06-12 22:10:17 UTC | #2 [quote="rohmann, post:1, topic:64385"] Main question: Is there any unguarded context where Discourse outputs raw post content instead of cooked content? [/quote] LIke this? https://meta.discourse.org/raw/64385 In other words, yes. If someone can read the post, they can read the raw content. ------------------------- tobiaseigen | 2017-06-12 22:11:20 UTC | #3 Sounds like you want whispers. This exists but only for moderators. ------------------------- rohmann | 2017-06-12 22:47:39 UTC | #4 @tobiaseigen I looked at whispers but I really need the functionality for everyone. Whispers are also completely hidden instead of inline with the reply which would be ideal (although if I had something working I could live without it). [quote="pfaffman, post:2, topic:64385, full:true"] LIke this? https://meta.discourse.org/raw/64385 In other words, yes. If someone can read the post, they can read the raw content. [/quote] Thanks! Yes, stuff like that is what I meant. So back to the drawing board... ------------------------- mpalmer | 2017-06-12 23:17:06 UTC | #5 Perhaps if you describe the bigger picture of what you're trying to achieve, you'll avoid falling foul of [the XY problem](http://xyproblem.info/). ------------------------- pfaffman | 2017-06-13 16:50:27 UTC | #6 Thanks, @mpalmer! That's awesome. I've been aware of the XY Problem for at least 30 years, but never knew what to call it. ------------------------- rohmann | 2017-06-13 18:47:40 UTC | #7 @mpalmer Sure! I'm using a Discourse category for handling product support, and other categories for discussion. Sometimes users need to share their site URL or even login information with us in a way that keeps the topic itself readable to others, but our staff can still see that info. ------------------------- pfaffman | 2017-06-13 19:58:04 UTC | #8 Maybe you want to do something that puts the information in a PM and inserts a link to the PM (perhaps semi-hidden as you've attempted previously) ------------------------- rohmann | 2017-06-13 20:54:26 UTC | #9 It would be really great if the information was just inline somehow. It's a bit more involved, but the next concept I'm currently exploring involves using `add_to_serializer` to supply a custom field when viewed by the post owner or admin/moderator. Instead of the shortcode style method I originally wanted, I'll probably need to make a custom UI in the composer. ------------------------- codinghorror | 2017-06-13 22:27:49 UTC | #10 The fact that you sent a PM to someone in reference to a post is noted below the post, but this might be a staff-only thing. ------------------------- rohmann | 2017-06-13 22:28:56 UTC | #11 Let me know what you guys think of this method. It will need a custom UI put together, but the idea is that a custom post field is used to store the private information. It's added to the serializer if the user is staff or the OP, and can be piped down into the post stream. Does this look secure? Is there a way people could otherwise find the custom field contents? https://gist.github.com/rohmann/4572181f5a84b1dfcf789c224076be63 ------------------------- mpalmer | 2017-06-13 23:44:10 UTC | #12 For me, personally, I'd just say "PM me the <details>", and save writing a custom plugin... ------------------------- rohmann | 2017-06-14 00:16:43 UTC | #13 @mpalmer That works, but really slows down the process. It isn't very scalable. For example, with inline private data the user can attach a private URL before the topic even gets a response. The next person able to work on the ticket may not have been the one requesting the login credentials. If the ticket needs escalation to another user they'd have to coordinate to get that information (more potential exposure) or annoyingly request the user to PM someone else. And if the user needs to change any of the information along the way, they need to resend it to any of the involved parties. For me it is definitely worth a custom plugin if I can get private data per post accessible by the OP and staff. The plugin in the gist above gets custom field content into the post stream, and only when the user should be able to see it. https://www.dropbox.com/s/mwedrxetyblj77t/Screenshot%202017-06-13%2020.04.09.png?dl=0 It also accepts a PUT to `/secure-note/update` allowing permissible users to set the note content. It seems to be working minus the UI. Being new to Rails and Discourse plugin development, I'm just concerned about that custom field somehow being exposed to users who shouldn't see it somehow. Is it ok to store sensitive info in custom fields? ------------------------- codinghorror | 2017-06-14 00:23:22 UTC | #14 You need to make these people staff and use whispers. That is exactly what whispers are for -- if staff are the ones with the secret. Granted with customer secrets you can't but in this case use incoming email to trigger a group PM. That is how team@discourse.org works for example. Then the topic, instantiated by an email, is private and visible only to the team group and that one customer.. who can either log in to reply (with the same email address), or rely via email. ------------------------- rohmann | 2017-06-14 00:38:12 UTC | #15 Thanks @codinghorror That sounds like you're creating an entirely private conversation though right? What I'm hoping to achieve is public/open forum support with a quick way for users to share info with our team. Whispers would be perfect if it could be extended it to work for regular users. Building a plugin seems like the only way to get what I need. Just hoping I can do it securely and not expose the information anywhere. ------------------------- Falco | 2017-06-14 00:59:15 UTC | #16 I really get what you want to archive, and skimming through your code the back end of things looks good. I'm really curious about how you gonna wire stuff up on the front end. The balance between easy for users to use and not intrusive when not needed is hard. ------------------------- codinghorror | 2017-06-14 00:59:28 UTC | #17 It's just a very peculiar request since you are insisting the normal method of PM is somehow not acceptable and the information must be inline. ------------------------- mpalmer | 2017-06-14 04:48:05 UTC | #18 The UX on this is going to be epic... how to make sure users put their private info in the private boxes and not in the public post, and vice versa. I just don't see people, in general, navigating this particularly well. I'm also not convinced that having public discussions that "the public" can only partially see is really valuable. If the question requires private information to answer, then how does having the discussion in public help? Nobody who doesn't have access to the private information can help, and any answers from staff are dependent on the details of the private information, so the answers aren't generally useful for future visitors. ------------------------- rohmann | 2017-06-14 21:16:42 UTC | #19 @mpalmer Most people aren't quick to share sensitive info without knowing it's safe. I'm comfortable placing a "Secure Note" button right of "Reply" since you'll almost never reply to your own post. Finished the UI: ### Post with a secure note https://www.dropbox.com/s/izx1c27sbtlbqmb/Screenshot%202017-06-14%2017.11.22.png?dl=0 ### Editing Modal https://www.dropbox.com/s/qtybpvccdhd6wgn/Screenshot%202017-06-14%2017.14.07.png?dl=0 ### Staff button when not the OP https://www.dropbox.com/s/jtic3eivvvdhoga/Screenshot%202017-06-14%2017.14.58.png?dl=0 For now, I've got the plugin here: https://github.com/rohmann/discourse-secure-note ------------------------- m.mueller | 2021-12-09 13:23:56 UTC | #20 Hi all, first of all -> yes I know, this thread is as old as my doughter, but I can't find another one on this topic and hope someone of you can help me. I searched via search engine and here on this forum but can't find a solution where I can setup a secured field where a user can send infos to a mod, which are not seen by all other users. A step with "plz send me PM with info" is not possible, we disabled PM on our forum for reasons. This one here is not supported anymore but maybe someone of you know a plugin or method to accomplish this workflow. A big thank you already to all those who do not immediately tear my answer, because I unpack an old topic. ------------------------- Falco | 2021-12-09 14:02:37 UTC | #21 https://meta.discourse.org/t/discourse-private-replies/146712?u=falco is kinda close ------------------------- m.mueller | 2021-12-09 14:55:56 UTC | #22 Thank you and yep its close but not the use case. This one is more a "I start a question and all answers are hidden and just visible for the thread starter" thing. In our case we have support members which have to log into SFTP/SSH/DB of customers. The customer starts with a question and on 60% of the issues a support member have to ask about the login information. Sometimes another customer is having a similar question and this one also should be allowed to send private information on this thread. ------------------------- RGJ | 2021-12-09 15:35:14 UTC | #23 [quote="m.mueller, post:22, topic:64385"] Sometimes another customer is having a similar question and this one also should be allowed to send private information on this thread. [/quote] But you don't want the customers to see each others info. So you have to find a way to distinguish between the posts that should be visible to everyone and the posts that should be visible to staff only. You could split off a topic, use Private Replies and ask the user for their details, but everyone would see the question, which is weird. But Discourse lets people interact with staff users via PM even if they are disabled, provided that the staff member was the one that initiated the conversation. So you can disable PM's, have staff message your users, and they would be able to reply. So if your support members are `staff` then they can just PM your users asking them for the info. ------------------------- m.mueller | 2021-12-09 15:48:52 UTC | #24 However, PM only works conditionally well with hundreds of requests a day. Therefore, it should not be the complete post, which is no longer visible, but in addition to the post a field in which you can pass text (or a link). This field is then only visible to the moderators. Thus, the post creator can always give a public explanation of the problem and also submit login data, which are not visible. For another Service we use a ticket system, where other users can answer questions beside the support stuff. This is to promote the community idea. There we have a way to implement text-fields below the main content-text-field which submit secure information just for our stuff. So I thought about having such a thing on discourse will be great. -------------------------