I’ve just tested this to confirm the behaviour on our instance (20 commits behind, can’t see anything related in the changes). We have all posts by trust level 0 users require approval and I wasn’t sure if that would affect the route, so I extended the steps to test without that interfering.
These steps all relate to a category where the admin group has see/reply/create and no other permissions are set, an email in address is set and accept emails from anonymous users with no accounts is enabled.
“>” denotes an effect rather than an action.
- Send email from address with no user
- > Staged user is created, new post goes into review queue
- Approve post
- > New topic is created in private category
- Change trust level of staged user to 1
- Send another email from same address
- > New topic is created in private category
If that didn’t happen, the accept emails from anonymous users with no accounts setting would have no purpose on categories that do not have either everyone or trust_level_0 with create permission.
I believe this is equivalent to #4 in the OP where the OP describes both #3 and #4 being expected to result in a new topic, however only #4 does.
With my previous post (before “The current situation”), I was mostly aiming to discuss this point more generally, which seems to argue that #3 should not work because the way it currently works protects against users being impersonated.
However, as I describe in that post, that protection doesn’t exist where a matched user has create permission.