"Email in allowed groups" setting is too permissive

Hi all,

We have a self hosted instance of Discourse in mailing list mode, created to be a replacement for mailman

We have 3 categories set up with custom incoming email addresses that create topics, which seemed to be working correctly.

Unfortunately we realised that users without “Create” permissions on the category could create topics by sending emails in.

I tweaked the “Email notifications in” to restrict to the ability to create topics via email to certain privileged groups. Unfortunately users not in the privileged groups can still create topics via email.

I have stopped and started the app and this behavior continued. I have also attempted to update the app to the latest on the tests-passed branch (3.2.0 beta5-dev Commits · discourse/discourse · GitHub) but unfortunately this hasn’t helped. The older build was from around 2 weeks ago

“Category mirrors a mailing list” is ticked for all 3 categories.

It would be great if we could restrict posting via email to specific groups for each category as this would more closely resemble the permissions for the mailing lists we have migrated from.

Replies by email are being denied for users in a way that matches “Reply” in the security settings for the category. It would be great if creating a topic by email was tied to the “Create” settings as well.

Any help or guidance would be greatly appreciated, please let me know if you need any information.

Many thanks

Have you read this topic yet?

1 Like

Hi Lillian,

Thanks very much for your message, from reading this documentation it sounds like what we are trying to achieve is the expected behavior from Discourse.

Reading the linked documentation, this part is most relevant:

Why use a category?

  • Using a category is useful if you want to simulate a mailing list.
    We are using categories for this reason
  • Sending an email to a category will create a topic in said category.
    This part is working correctly
  • Anyone with access to that category may read and reply using the web interface or via email.
    This is also working correctly
  • Emails sent to a category must respect the category’s security settings.
    Users who are unable to reply on the Web UI receive a ReplyNotAllowedError when looking at the email logs which is what we want. Users who are unable to create a topic through the web UI are able to create a topic when emailing the incoming email address which is one of the issues we are having. They are even able to create topics in categories they can’t see
  • Emails sent to a category must respect the email in allowed groups site setting.
    I started to use this setting in order to prevent unauthorised groups creating topics in the above way but this doesn’t work either.
  • You may disable staged users on a per category basis.
    Our Discourse instance is invite only so staged users are disabled and any unknown user receives a StrangerNotAllowed error, which is the desired behaviour

I’ve tried stopping and starting the app, and upgrading the app through the web GUI. Would you recommend a full rebuild?

What logs would be most relevant for these issues?

Thanks very much in advance again

Hi again,

Just a quick update. I’ve just tried rebuilding the app but the behavior has stayed the same unfortunately. I will try to find some more logs to figure out why this is happening.

Hi,

After some digging and testing I’ve found that if you tick “category mirrors a mailing list” this will skip validation as you can see here in the source code

Once I unticked this option then the permissions worked as expected

This then allowed / disallowed based upon permissions as you would expect

Please can this be added to the documentation to help future users?

Thanks very much for your help Lilly.

2 Likes