Email-in topics not under approvals control

(Stephen Chung) #1

How to Reproduce

  1. Set topic requires approval for trust_0
  2. Set all new users start at trust_0
  3. Send something from email in
  4. Result: The topic appears immediately without requiring approval

I think staged users and email in just by-passes too many of the regular posting pipeline that it needs some serious review. It feels like an “add-on”.

Registering unregistered users on first email a la mailman?
(Jeff Atwood) #2

Steps one and two are quite severe. Why would anyone do that?

That is, allow new users to start topics via email? This is radically far from a Discourse default.

(Stephen Chung) #3


I thought #2 is default. New users start at Level 0.

approve_new_topics_unless_trust_level the minimum trust level to post without approval. Setting it to level 1 mean level 0 topics/posts require approval. This simply is a normal setting, not?

New users can always start new topics by email in. This is the default. The user will be created staged.

Can’t understand what you mean by severe…

(Jeff Atwood) #4

You are saying you have configured your site such that brand new users can create topics via email, at will. This is not remotely a default. Why would anyone want this?

(Stephen Chung) #5

Isn’t that what email in is about?

(Jeff Atwood) #6

Sort of, but I can’t imagine why you would let new users do that. Generally this is restricted to some categories and only trusted users.

Or if your site is invite only or paid membership, I guess.

(Stephen Chung) #7

Then what are staged users?

They are new users created via email in on some category, right?

(Jeff Atwood) #8

That is intended for private groups, not public posts. Think support desk emails that get routed to a private group in Discourse. Guess what happens when you email

(Stephen Chung) #9

I can route them to a category, which is what it is doing here.

You can definitely route them to a public category, nothing stopping you in the system. For mine, I route them to private categories.

It is working great, except that some SPAMer’s keep sending in SPAM.

Now, those SPAMer’s will all be staged users created with the default user level of 0. In my forum, all my users start off at level 1 (invitation only, another setting). Therefore it stands without saying that level 0 users are all staged users via email in.

Now setting the approve_new_topics_unless_trust_level level to 1, which means that level 0 user posts need approval, we can get past the situation of those SPAM’s appearing on the category until they’re removed by moderators.

All of these features are standard in the system; I’m not using anything that is non-standard. If I can use this particular combo of system settings to satisfy my needs, then so much better for Discourse!

However, it seems that the system’s features set is not 100% orthogonal. Users created via other means (SSO, invitation, registration etc.) follow the approval checks for their posts. However, staged users created via email in by-pass the checks.

This is a bug if you ask me, or you would have called the setting approve new topics unless trust level (WARNING: doesn't work for staged users).

(Stephen Chung) #10

As to exactly WHY this combo of system settings work for me?

Currently I have restricted categories set up, one for each country/world region.

I point email in email addresses to them.

I publish those support email addresses. For example, a customer in Canada having a support question can email to and have their email appear as a topic in the Canada Questions category, where support technicians responsible for Canada has authority to reply.

This arrangement entirely solves the problem of using Discourse as a support ticket system.


(Jeff Atwood) #11

Email spam should be handled upstream by your mail server.

(Stephen Chung) #12

Yup, I understand.

Doesn’t mean the approve_new_topics_unless_trust_level can fail to work when the user (and the topic) are created together via an email in though.

I’m saying this is a bug. You’re saying this is a feature because no sane person would want to use such a combo in settings.

(Stephen Chung) #13

Turns out that you have it in there afterall. This is what’s throwing it off:

You are exempting staff and staged users from the approval process:

However, you’ve forgotten that there are different types of staged users creating topics. You want to exempt the ones that are sending in private messages (i.e. posting to group), but NOT when they are sending in topics (i.e. posting to category).

I think the line should be changed to:

def self.exempt_user?(user, options)
  user.staff? || (user.staged && options[:archetype] == Archetype.private_message)

(Jeff Atwood) #14

Sure, good idea, what do you think @zogstrip?

(Régis Hanol) #15

It’s a good idea :+1:


(Stephen Chung) #16

Upgraded to the latest beta and then magically email in messages start showing up in the approvals list! :clap:

I guess this is finally implemented then?

(Jeff Atwood) #17

Not sure, we’d need @zogstrip to confirm.

(Gerhard Schlager) #18

Yes, @jj11909 fixed it.

(Gerhard Schlager) #19

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.