How to reproduce:
- Produce a messaging topic T that is inaccessible to user A, but deliver a mail from that topic to this user without Discourse knowing, e.g. by replying to the topic via mail and CCing a mailing list containing user A. (See here for a description of a real-world occurrence of this.)
- As user A, reply to this message, addressing it to the group inbox address of group G. Use a mail client that adds an
In-Reply-Toheader to do this.
Discourse creates a new message between group G and user A. (It may try to post a reply in topic T instead because it sees the
In-Reply-To header, but falls back to the new message because user A lacks permissions for a reply.)
Discourse sees the
In-Reply-To header and tries to post a reply from user A in topic T. Because A lacks permissions to do so, Discourse sends him an email explaining that the topic was probably closed or deleted, and does not deliver that message.