Flagged/deleted posts can be viewed even for topics where I have no access


(TechnoBear) #1

As a moderator, I see the “Flagged posts” and “Deleted posts” counts on a member’s profile, and can use those to see the posts in question.

But doing this also shows deleted posts originally made in private categories to which I have no access, such as the Admins section. (Clicking on the post gives me the “You do not have permission to view that topic” message. These posts are easy to spot, as no category is shown. AFAIK, I (or any other moderator) would also be able to see deleted PMs.


(cpradio) #2

Adding screenshot

The post above was shown to @TechnoBear, but was made in a category she doesn’t have access to and was never flagged. I simply created it and deleted it.

However, using the Flagged # link or the Deleted # link on a user’s profile shows topics/posts that we shouldn’t see as we don’t have permissions to them.


(Robin Ward) #3

I had to fight ActiveRecord a bit to fix this one (stupid default_scope) but I have a fix:

https://github.com/discourse/discourse/commit/db4c04d6065622bb2507b07b7cfce3bc3b63af9e


(Régis Hanol) #4