Activity Summary included content of posts to which user no longer had access

I use Discourse for discussion in an academic setting, and I have different courses separated out by groups and categories, so that they cannot see each others’ posts. That works well, with one troublesome exception: Digest emails seem to include titles and excerpts for topics to which the email recipient does not have access. Evidence of this is that when the users clicks the link in the email, they get a 404 page.

That does sound like a bug. I’d think that there are pretty good specs for that case, though. Do you have any plugins that might be changing things?

Could some posts in a public category be referring to private topics?

You can test what digests will get sent for a particular user at /admin/emails/preview summary.

1 Like

As far as plugins go, I have discourse-math, discourse-canned-reply, discourse-solved, and discourse-openid-connect. I don’t see a straightforward reason why any of them would affect this. I’m on Discourse 3.1.0 FWIW.

If I use the summary preview feature for the user who reported this, I now only get an empty box. But I have a screenshot of their email that clearly shows posts in a category to which they don’t have access included in the summary.

Any chance the category was not private at the time of the email? Or that the user had access to it at that time? You can check category permissions activity under Staff Action Logs, filter that view by “change category settings”.

I did a quick test locally, and I can’t reproduce this issue with either the preview or a manually sent digest.


Yikes, you are all correct. The access privileges for the category had in fact changed between when the user in question received the email and when I received their report. Nothing to see here AFAICT, and sorry about the noise!


No worries, thank you for following up.

1 Like