Sudden realization about issue with Ticket System (private topics plugin)

tknospdr · April 8, 2026, 7:59pm

We have successfully been using Discourse as our ticketing system for several months now. All has been going smoothly but I just realized that there is a security issue that I overlooked as it was hidden through obscurity until just now.

Everything has been going fine with the exception that I had to add trust_level_0 to our ticket topic in order for regular users to be able to create topics via e-mail (works fine without it for staged users)

As the forum itself was mostly dead I didn’t notice until just yesterday that when users with trust level 0 log in they can see posts from our support category even though it’s set up as a private topic and supposed to only be visible to admins and our ‘support_staff’ group.

Is there a way to fix this? If not I’ll have to scrap this whole project as we have a lot of personal/sensitive info in the support tickets.

Thanks!
David

RGJ · April 8, 2026, 8:26pm

This is exactly why we developed Private Topics Plugin

tknospdr · April 8, 2026, 8:29pm

I’m using that, and it doesn’t seem to be working.

RGJ · April 8, 2026, 9:01pm

Can you please share your forum URL in a PM to me, together with a screenshot of the Category → Security tab of that category?

supermathie · April 8, 2026, 9:12pm

What do you mean by “private topic”?

We have “personal messages” but there’s no such concept as a “private topic”.

BTW, how you describe things working is exactly how we use meta itself. Emails to our support address come into personal messages in a group inbox - there’s no leakage to the public.

I think you have things set up wrong.

tknospdr · April 8, 2026, 9:28pm

Please scan up, there is a plug in literally called Private Topics, and that’s what I’m using.

supermathie · April 8, 2026, 9:30pm

Ah, OK, you should add that information to the OP.

tknospdr · April 8, 2026, 9:31pm

PM sent.

tknospdr · April 8, 2026, 11:40pm

Issue resolved. We did a PR on my brain and now everything is working.
I misunderstood a setting in the plugin’s settings. Once I was schooled, everything works like it should.

Thanks!

supermathie · April 9, 2026, 12:56am

Explaining the mix-up would make this topic useful to future readers.

With the current amount of detail all we know is “something was wrong and is now fixed”.

RGJ · April 9, 2026, 7:16am

The Private Topics plugin was installed.

Two things were going on:

all topics were somehow created by the support_staff group and not by the individual users
the setting “Private topics permitted groups” (Always show topics started by a member of these groups) included that support_staff group.

Hence, all topics were visible for all TL0 users.

When support_staff was removed from “Private topics permitted groups” everything worked as intended.

Topic		Replies	Views
Private Topics Plugin Plugin	103	5583	March 7, 2026
Private Topics - are they supported? Support	27	11095	December 5, 2020
Is there a way to create topics so that only topic creator can see their topics? Support	5	95	August 22, 2025
Discourse ignoring Category trust_level_0 (registered user) making posts public Support	20	4990	July 11, 2015
Is it possible to have a category where users only see their own topics Support	7	110	January 21, 2026

Sudden realization about issue with Ticket System (private topics plugin)

Related topics