Discourse-assign - `/u/{user}/activity/assigned` odd public topic list results

The topics listed on the page /u/{user}/activity/assigned for non-authenticated / users without “staff” are incorrect / shouldn’t be displayed.

Steps to reproduce

  • Ensure discourse-assign plugin is installed / active.
  • Set “assigns public” (Allow general public to see topic assignments) to “false
  • Ensure two public test topics exist (although this is not specifically required it helps in understanding what might be displayed).
  1. one topic with a the user “johnsmith” assigned
  2. one topic with no users assigned
  • Visit /u/johnsmith/activity/assigned as an unauthenticated user

Expected results

  • No topics listed / an error indicating access is denied
  • the same as visiting a protected page - i.e. indicate you may need to be logged in.

Actual results

  • All public topics listed
  • at least these don’t seem to be related to the “assigned” user.
1 Like

I checked on a forum where I have been assigned topics and it does appear that unauthenticated users get all topics, not the assigned ones. It does look like if users can’t see assigned stuff that part of the query is thrown away.

If you don’t want users to know about things that are assigned, it seems improbable that a user would stumble on this query. It’s as though unchecking “allow public to see assignments” means something like “don’t allow public to see whether there are assignments”.

Can you share with us your feelings and thoughts and emotions on this @sam?

Wait a second…

  • No information is leaking
  • User has to hack up URL to exhibit the non-issue.

I guess @codinghorror my feelings are :confused:, my emotion is :dango: and my thoughts is that I don’t understand how this is an issue.

3 Likes

Thoughts where…

  • From a users point of view I experienced this personally when I was logged out and greeted with the unexpected list of topics.
  • Discourse is an API - this endpoint is giving invalid information (if this accurately indicated what is returned via the API?)

I am not against improving this, pr welcome