Access to protected category via latest view


#1

Hi there,

I have a huge problem. We are running an interal forum for our employees. A couple of weeks ago, we migrated to Discourse and imported all the users, groups, categories, threads and comments. Some categories are only accessible for concrete user groups. However, users without being in such a group are able to access those protected categories via the “Latest” view. They can read the topic and access the whole thread and download attachments.

Is this the way to go? What am I doing wrong? Even when only granting access to such a category for admins only, the threads can be seen and accessed.

I appreciate any help.

Thx, Björn


(Kane York) #2

Check that:

you’re signed in to the correct account when checking for these leaks

the categories are not giving everyone the See permission → there is a lock icon on the category badge → the topics should not display for anonymous users

Basically just review the category permissions, you might need to edit and re-save them possibly due to the import?


#3

The forum is not available for anonymous users, i.e. you have to be logged in. The category shows the lock symbol and - only for testing purposes - only admins are allowed to create, reply and view.

When changing the right, i re-saved the category, right?!

I don’t get why it is not working as expected. Very strange.


(Joshua Rosenfeld) #4

To be more specific, Kane wanted you to verify that:

  1. You tested this by logging in as a non-admin user.

I tested this out in my sandbox, and could not reproduce this. Removing “everyone: create/reply/see” and adding only “admins: create/reply/see” completely hide topics in the category from /latest.

Edit: A thought, do you have sub-categories? Permissions are not inherited, so even if you restricted a parent category, content is sub-categories will still be visible unless also restricted.


(Kane York) #5

Additionally, creating subcategories where some people that can see it do not have See on the parent results in a large number of bugs.


#6

Thx guys for your immediate help. Yes, I do have subcategories and I think there is the problem. The subcategories can be accessed by “everyone”. I didn’t know that the privileges are not inherited. We are testing the changes now and I will let you know. Thx again :slight_smile: