Clicking the envelope does not work for non-staff users

Clicking the envelope to reveal an incoming email should work for staff and for users viewing their own posts. However, as a non-staff user trying to view their own post, this results in a Javascript error. The user is able to view the underlying json when that is requested manually.

It does work for staff users.

firefox_ACou9sp2yI

4 Likes

I can confirm this also occurs on my test site for non-staff users with the same error - Uncaught Error: Failed to create an instance of 'controller:raw-email'. Most likely an improperly defined class or an invalid module export.

It has been marked for some attention. :slight_smile: :+1:

4 Likes

Looks legit! Thanks for raising, since the paper cut is so small I am putting a #pr-welcome on it. I support the super trivial fix of simply not calling anything here, I am on the fence on exposing full email info to self for non mods.

3 Likes

:+1: for not calling anything; I’ve used that to debug email issues tons of times as an admin, never once looked at my own messages as a mod or regular user, anywhere. :person_shrugging:

1 Like

Pull request here Disallow access to raw email for non-staff users by communiteq · Pull Request #17569 · discourse/discourse · GitHub

2 Likes

I see this pull request was (silently) closed, I suspect because I honestly fail to see how to test a single line function that only contains is_staff?.

Please let me know if this is going to be merged in the future, because if it is not I will have to create a plugin to resolve this GDPR issue…

I can sort of accept not having a test for the client side, but the API side should be trivial to test. You create a post object, a user object, check that user can not view raw email when post is deleted in the guardian tests.

Will try to figure out why PR was closed.

This is a behavior change though, I am curious why we are going with stripping the feature over fixing the bug.

2 Likes

We suspect the closing was a misclick by someone, apologies, reopened.

This is certainly odd because I don’t think it was intended to be closed and I wasn’t the one that closed it. As least not intentionally and not that I’m aware of. Anyway, I’ll follow up with the PR shortly.

Something is odd about the state of the PR. Github bug perhaps? :man_shrugging:

1 Like

The close was indeed very weird, since there was no acting user and I did not get a notification.
Good to hear that it wasn’t intentional !

I might have misunderstood you here then…?

2 Likes