Email-in topics not under approvals control

How to Reproduce

  1. Set topic requires approval for trust_0
  2. Set all new users start at trust_0
  3. Send something from email in
  4. Result: The topic appears immediately without requiring approval

I think staged users and email in just by-passes too many of the regular posting pipeline that it needs some serious review. It feels like an “add-on”.


Steps one and two are quite severe. Why would anyone do that?

That is, allow new users to start topics via email? This is radically far from a Discourse default.

1 Like


I thought #2 is default. New users start at Level 0.

approve_new_topics_unless_trust_level the minimum trust level to post without approval. Setting it to level 1 mean level 0 topics/posts require approval. This simply is a normal setting, not?

New users can always start new topics by email in. This is the default. The user will be created staged.

Can’t understand what you mean by severe…

You are saying you have configured your site such that brand new users can create topics via email, at will. This is not remotely a default. Why would anyone want this?

Isn’t that what email in is about?

Sort of, but I can’t imagine why you would let new users do that. Generally this is restricted to some categories and only trusted users.

Or if your site is invite only or paid membership, I guess.

Then what are staged users?

They are new users created via email in on some category, right?

That is intended for private groups, not public posts. Think support desk emails that get routed to a private group in Discourse. Guess what happens when you email

I can route them to a category, which is what it is doing here.

You can definitely route them to a public category, nothing stopping you in the system. For mine, I route them to private categories.

It is working great, except that some SPAMer’s keep sending in SPAM.

Now, those SPAMer’s will all be staged users created with the default user level of 0. In my forum, all my users start off at level 1 (invitation only, another setting). Therefore it stands without saying that level 0 users are all staged users via email in.

Now setting the approve_new_topics_unless_trust_level level to 1, which means that level 0 user posts need approval, we can get past the situation of those SPAM’s appearing on the category until they’re removed by moderators.

All of these features are standard in the system; I’m not using anything that is non-standard. If I can use this particular combo of system settings to satisfy my needs, then so much better for Discourse!

However, it seems that the system’s features set is not 100% orthogonal. Users created via other means (SSO, invitation, registration etc.) follow the approval checks for their posts. However, staged users created via email in by-pass the checks.

This is a bug if you ask me, or you would have called the setting approve new topics unless trust level (WARNING: doesn't work for staged users).

1 Like

As to exactly WHY this combo of system settings work for me?

Currently I have restricted categories set up, one for each country/world region.

I point email in email addresses to them.

I publish those support email addresses. For example, a customer in Canada having a support question can email to and have their email appear as a topic in the Canada Questions category, where support technicians responsible for Canada has authority to reply.

This arrangement entirely solves the problem of using Discourse as a support ticket system.


1 Like

Email spam should be handled upstream by your mail server.

Yup, I understand.

Doesn’t mean the approve_new_topics_unless_trust_level can fail to work when the user (and the topic) are created together via an email in though.

I’m saying this is a bug. You’re saying this is a feature because no sane person would want to use such a combo in settings.

1 Like

Turns out that you have it in there afterall. This is what’s throwing it off:

You are exempting staff and staged users from the approval process:

However, you’ve forgotten that there are different types of staged users creating topics. You want to exempt the ones that are sending in private messages (i.e. posting to group), but NOT when they are sending in topics (i.e. posting to category).

I think the line should be changed to:

def self.exempt_user?(user, options)
  user.staff? || (user.staged && options[:archetype] == Archetype.private_message)

Sure, good idea, what do you think @zogstrip?

It’s a good idea :+1:



Upgraded to the latest beta and then magically email in messages start showing up in the approvals list! :clap:

I guess this is finally implemented then?


Not sure, we’d need @zogstrip to confirm.

Yes, @jj11909 fixed it.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.