Discourse ignoring Category trust_level_0 (registered user) making posts public


(Nick Harrington) #1

I’m running http://magistrates.today/ version 1.4.0.beta1 as a private member-only forum.

I have one Category Public with security “everyone” can Create / Reply / See. Therefore a couple of posts can be public for visitors; inviting sign-up before approval.

Topics posted to Category Judicial are with security “trust_level_0” so that only approved users can view content. However, new posts or post replies to this topic are appearing as public when their Category explicitly makes these hidden to a non-member.

When spotted, I have to set the thread to a Category Public and then re-categorise as Judicial.

I’m pretty certain I’ve got the security settings correct.

Is this a bug?
Is there a security configuration trick to guarantee posts don’t leak public when expressly set to only trust_level_0 for registered approved users?

Happy to give you Admin for a looksee.

Nick


(Dean Taylor) #2

trust_level_0 is a “built in” trust level - this is actually the lowest trust level - i.e. a new user is set at trust_level_0 when they initially sign up.

It depends on your approval process - I’m guessing adding a user to a “group” fit’s best here if you are going to have public topics too.

Follow this then add the “approved” users one at a time to the group that gives them access.

If you are trying to configure an “invite only” installation where there are no public topics - somebody else will have to point you at the right settings to check.

But the one that springs to mind is “Settings > Login > invite only


(Nick Harrington) #3

Dean, thanks for this! This means for every new member approved I will have an additional task to add them into the group; that’s cool as a workaround but not ideal if I’m managing a heap of users.

I looked at Invite only but this would prevent the forum displaying a Welcome come and join us topic. Displaying a pretty basic “Sign-up” page isn’t going to attracted many cautious prospective members not knowing to what they’re signing up

I’m asking for Categories to obey the trust_level_0 rules and not display that category as public.

Must be a bug folks. Can this get on a to-be-fixed list?


(PJH) #4

This works as expected for me - category not visible unless you’re logged in…?

When trying to read a post in that category while not logged in:


(Jeff Atwood) #5

Well, technically, you could define it either way.

We do define it that way at the moment, e.g. “all” visitors are TL0, but I could see us enforcing TL0 as only users who have an account. @sam how painful would this be to get working? (or as @pjh tested, does this already work?)

Generally when people have “secret” content on existing Discourse instances, it is secret enough that merely creating an account isn’t enough to view it. So this does not come up very much.


(PJH) #6

It already seems to work.

I suspect @nickjharrington may have left the Everyone rule in security instead of deleting it?


(Nick Harrington) #7

@pjh here’s a snap for this Category Judicial with only trust_level_0 present on Security.

Could you join the community and I’ll let you have a look?

Nick


(Jeff Atwood) #8

Hmm, perhaps @techapj should have a look in this case?


(PJH) #9

Then it appears to be working. This is what’s visible when not logged in:

I can’t see Judicial anywhere.


(PJH) #10

After logging in:

@nickjharrington - what are you seeing that you think you shouldn’t?


(Nick Harrington) #11

The issue is that posts of Category “Judicial” (trust_level_0) are leaking as public posts when not logged in or as a non-member. I’ll put up a test thread to try and demonstrate. Be right back …


(PJH) #12

No repro here I’m afraid - http://magistrates.today/t/what-on-earth-happened/51, for example when not logged in:

Is there a specific post that is ‘leaking’?


(Nick Harrington) #13

Yes. Just authored this post with Category of Judicial:

But the post appears without a Category to a public non-member:


(Nick Harrington) #14

Therefore it appears to be an issue around authorship where the original post is failing to get adopted into the selected Category. Can @PJH reproduce with a new authored post as Judicial?


(Jeff Atwood) #15

Did you rename or otherwise change Uncategorized? I suggest you update to latest code, it looks like you have a UI problem with selected categories.


(Nick Harrington) #16

We must have removed Uncategorized.
I’ll backup and execute the upgrade now.


(Nick Harrington) #17

Post creation as Category Judicial

Post is created without any Category


(Nick Harrington) #18

Editing the original “Test Post for Security Testing” to reselect “Judicial” causes the thread to honour the Category.


(PJH) #19

Test post #2 is uncategorised, thus not subject to any controls. (The other test post there requires logging in to see.)

This smells of this bug where if the category isn’t changed, the post gets dumped into Uncategorised for admins even if such posts are not supposed to be allowed.

Unchecking allow_uncategorized_topics (which has been done on @nickjharrington’s site and mine ) normally should disallow non-admins from viewing, but doesn’t appear to in this instance…

For example Login to your account - What the Daily WTF? is in uncategorised on mine and shows the “You need to log in screen”"

http://magistrates.today/t/test-post-2-for-security-testing/56 on the other hand is also uncategorised but doesn’t require a login.

I can only think that there’s another site setting that I can’t find that’s different between the two sites…


(cpradio) #20

I think you are hitting this bug, which was recently fixed this week (according to my testing)

Just realized @pjh beat me to it.