I have one Category Public with security “everyone” can Create / Reply / See. Therefore a couple of posts can be public for visitors; inviting sign-up before approval.
Topics posted to Category Judicial are with security “trust_level_0” so that only approved users can view content. However, new posts or post replies to this topic are appearing as public when their Category explicitly makes these hidden to a non-member.
When spotted, I have to set the thread to a Category Public and then re-categorise as Judicial.
I’m pretty certain I’ve got the security settings correct.
Is this a bug?
Is there a security configuration trick to guarantee posts don’t leak public when expressly set to only trust_level_0 for registered approved users?
Dean, thanks for this! This means for every new member approved I will have an additional task to add them into the group; that’s cool as a workaround but not ideal if I’m managing a heap of users.
I looked at Invite only but this would prevent the forum displaying a Welcome come and join us topic. Displaying a pretty basic “Sign-up” page isn’t going to attracted many cautious prospective members not knowing to what they’re signing up
I’m asking for Categories to obey the trust_level_0 rules and not display that category as public.
Must be a bug folks. Can this get on a to-be-fixed list?
Well, technically, you could define it either way.
We do define it that way at the moment, e.g. “all” visitors are TL0, but I could see us enforcing TL0 as only users who have an account. @sam how painful would this be to get working? (or as @pjh tested, does this already work?)
Generally when people have “secret” content on existing Discourse instances, it is secret enough that merely creating an account isn’t enough to view it. So this does not come up very much.