Inheritance of access rights for subcategories broken

Hello,

I just noticed a major bug in the inheritance of access rights for subcategories:

How to reproduce: Create a category where only a certain group of people has access to. Now create a subcategory, without further access specifications. That subcategory violates the access rights of its main category and will be publicly available.

Expected behaviour: Subcategories should never be able to gain more rights than their main category.

Discourse version: v1.6.0.beta12 +61

Regards,
MPW

This is by design, sub-categories do not inherit their parent permissions.

https://meta.discourse.org/t/permission-changes-moderators-have-less/12522/36?u=cpradio

4 Likes

Then this should be changed. At least by default during creation of the category.

Discourse does not have an implementation of inherited permissions between categories and sub-categories.

Totally fine to amend the UI to inherit from parent when creating new subcategories but the underlying permission system is category based with no inheritance. Changing this is a major piece of work that is not scheduled.

3 Likes

Sounds like a nice plan and will keep admins from accidentally blowing confidential information, like it happened to us.

Thanks for looking into this.

Regards,
MPW