Bug in TL0 message flagging

(TechnoBear) #1

TL0 members can’t flag posts in public topics, but they can flag posts in PMs. However, the “something else” option doesn’t work as expected for TL0 members. (Discovered on our forum, Discourse 1.9.0.beta1 and confirmed on latest, Discourse 1.9.0.beta12.)

Steps to reproduce:

Send a message to a TL0 member.

TL0 member flags that post, chooses “something else” and writes an explanation.


The flag will appear like any other custom flag.

Actual outcome:

The flag is created, but the message is not sent, and no dialogue is created.

The two flags raised by SpareBear (TL0) show no message, even though one was entered, and there is no “Reply” button. The flag raised by SuperTed (TL2) functions as expected.

(gauthier) #2

TL0 member is using the english language?
It’s seems there is a bug when member and forum are not both in english

(TechnoBear) #3

Forum is English-language only, and the message was definitely in English.

(Jeff Atwood) #4

@neil we should fix this

(Neil Lalonde) #6

The reason for this behaviour was because TL0 users (with default settings) aren’t allowed to create private messages, and those “custom” flags are private messages to moderators. I fixed this by allowing TL0 users to send PMs to moderators. If any new users abuse this, the moderators have the power to deal with it, so I think this is low-risk.

(Neil Lalonde) #7

This topic was automatically closed after 2 hours. New replies are no longer allowed.

(Jeff Atwood) #8

That’s a pretty big structural change. How did this ever work before, since this is a new regression, and that loophole was not present to my knowledge since 2013?

My concern is that randos could sign up for infinite new accounts and grief the mods with no practical limit. We see it with the Korean bamwar folks, for example…

(Sam Saffron) #9

I am not 100% this did not exist forever, in the past you only got access to the flag dialog when you got to tl1and the only pm you had going was the welcome pm which was direct to moderators in many cases

I don’t recall any spam reports with the welcome PMs in the past, but I am not certain we could have had them

(Jeff Atwood) #10

Oh that is right. Why are we allowing TL0 users to flag suddenly @eviltrout @neil that is the underlying issue.

(Sam Saffron) #11

I think discobot tries to teach flagging, so it was bypassed for that

(Neil Lalonde) #12

They can flag private messages, which I think is a valid use case.

(Jeff Atwood) #13

Yeah the idea is they can reply to any pm they get but they can’t send a pm at trust level 0. Still if we are now globally allowing tl0 flags everywhere that is not a good idea.

(Neil Lalonde) #14

TL0 can only flag private messages others sent to them. They can’t flag anything else.