Bug - 管理员可能将私信分配给无权访问私信的版主

贡献 错误
1

I have noticed what I think is a bug with the Discourse Assign plugin. It is possible for an admin to assign a PM to a moderator who does not have access to the PM. They are notified, but when they click through to see the PM they cannot see it and get an error.

The answer, it seems to me, should be to add the assignee to the message at the same time, or to display an error to the assigner to let them know the assignee is not in the message and cannot be assigned the message.

This obviously does not affect admins who can see all PMs.

5 个赞
Tickets Plugin :tickets:
2

I can repro this. An assign notification is generated despite the user not having access to the PM assigned. Same issue occurs in categories with security that mods can’t access.

5 个赞
3

Oh yeah interesting edge case what can we do here @sam?

4 个赞
4

I think a minimum change here is to pop up an error saying moderator has no access to the PM when the admin / mod tries to assign.

This particular edge case will become much less of an edge case when we unlock “assign” to designated groups that are not mods.

4 个赞
5

我今天又发现了这个问题——我们发现我分配给许多版主的消息,他们实际上没有权限查看,因此未能跟进。哎呀。

2 个赞
6

哈哈,我们能否用某种简单的方法来防范上述情况,@sam

3 个赞
7

现在发生了这种情况,也许 @Roman 可以跟进一下。

5 个赞
9

我提交了一个 PR,旨在在尝试分配主题时强制执行额外的规则:

  • 我们要分配给的用户必须具有分配权限。
  • 我们要分配给的用户必须拥有该主题的访问权限。

尝试分配给这些用户中的任何一个将引发错误:

48
48649×134 6.17 KB

我认为我们还应该从分配弹窗的结果中移除没有访问权限的用户。为此,我需要稍微扩展核心用户搜索 API。

这是 PR 链接:

在合并之前,我会找人来审查它。

6 个赞