I have one Category Public with security “everyone” can Create / Reply / See. Therefore a couple of posts can be public for visitors; inviting sign-up before approval.
Topics posted to Category Judicial are with security “trust_level_0” so that only approved users can view content. However, new posts or post replies to this topic are appearing as public when their Category explicitly makes these hidden to a non-member.
When spotted, I have to set the thread to a Category Public and then re-categorise as Judicial.
I’m pretty certain I’ve got the security settings correct.
Is this a bug?
Is there a security configuration trick to guarantee posts don’t leak public when expressly set to only trust_level_0 for registered approved users?
trust_level_0 is a “built in” trust level - this is actually the lowest trust level - i.e. a new user is set at trust_level_0 when they initially sign up.
It depends on your approval process - I’m guessing adding a user to a “group” fit’s best here if you are going to have public topics too.
If you are trying to configure an “invite only” installation where there are no public topics - somebody else will have to point you at the right settings to check.
But the one that springs to mind is “Settings > Login > invite only”
Dean, thanks for this! This means for every new member approved I will have an additional task to add them into the group; that’s cool as a workaround but not ideal if I’m managing a heap of users.
I looked at Invite only but this would prevent the forum displaying a Welcome come and join us topic. Displaying a pretty basic “Sign-up” page isn’t going to attracted many cautious prospective members not knowing to what they’re signing up
I’m asking for Categories to obey the trust_level_0 rules and not display that category as public.
Must be a bug folks. Can this get on a to-be-fixed list?
Well, technically, you could define it either way.
We do define it that way at the moment, e.g. “all” visitors are TL0, but I could see us enforcing TL0 as only users who have an account. @sam how painful would this be to get working? (or as @pjh tested, does this already work?)
Generally when people have “secret” content on existing Discourse instances, it is secret enough that merely creating an account isn’t enough to view it. So this does not come up very much.
The issue is that posts of Category “Judicial” (trust_level_0) are leaking as public posts when not logged in or as a non-member. I’ll put up a test thread to try and demonstrate. Be right back …
Therefore it appears to be an issue around authorship where the original post is failing to get adopted into the selected Category. Can @PJH reproduce with a new authored post as Judicial?
Test post #2 is uncategorised, thus not subject to any controls. (The other test post there requires logging in to see.)
This smells of this bug where if the category isn’t changed, the post gets dumped into Uncategorised for admins even if such posts are not supposed to be allowed.
Unchecking allow_uncategorized_topics (which has been done on @nickjharrington’s site and mine ) normally should disallow non-admins from viewing, but doesn’t appear to in this instance…
