Overview
When a user is actively viewing a topic that is subsequently deleted, continuous scrolling (up or down) triggers an infinite loop of posts.json API calls. These calls consistently return a 403 Forbidden error, yet the application fails to acknowledge the deletion or stop attempting to load non-existent content, leading to persistent background network activity and a broken user experience.
Steps to Reproduce
- Preparation (Admin/Moderator User):
- Log in as a user with topic deletion privileges (e.g., Administrator or Moderator).
- Create a new topic with a few posts to ensure there’s content to scroll through.
- Keep this topic’s page URL handy.
- User Experience (Regular User):
- Log in as a regular user (without deletion privileges).
- Open a new browser tab or window.
- Navigate to the topic created in Step 1.
- Open your browser’s developer tools and go to the “Network” tab. Clear any existing requests for a clean view.
- Simultaneous Deletion & Interaction:
- While the regular user is on the topic page (from Step 2), use the Administrator/Moderator account (from Step 1) to delete the topic.
- Immediately after the topic is deleted, the regular user attempts to scroll up or down on the now-deleted topic’s page.
- Observe:
- In the regular user’s browser’s Network tab, observe continuous GET requests being sent to
https://discourse-url/t/xxxxx/posts.json?(wherexxxxxis the deleted topic ID). - Notice that all these requests consistently return a
403 ForbiddenHTTP status code. - The application does not display any message indicating the topic has been deleted, nor does it stop sending these failed scroll requests.
Potential Consequences
- In my community, we use Cloudflare to prevent cyberattacks, and this bug caused some users to make too many requests and be rate-limited.