Moderator without access to a category can't change category notification settings for a user who does

I just made the odd discovery that, as a moderator with limited category permissions, I can can’t update the category notification settings for a user with access to the categories. To make matters worse, if I make any changes to a user’s preferences the category notification settings get changed. This means that if someone was watching/tracking/muting a category before, they aren’t after the moderator saves the preferences.

##Replication steps

• set up a user that has moderator privileges but limited access to one or more categories
• set up another user that has access to category/ies that the moderator does not have access to, and set some up to be watched/tracked/muted
• log in as admin, look at the user preferences and confirm the settings (see first screenshot below)
• log in as user with moderator privileges but without access to all categories and edit the user preferences of a user who has access to a category you do not (see second screenshot below)
• save changes.
• go back as admin to look at the user… you will see the category notification settings are gone.

##How it should behave

The permissions on the user being edited should be reflected on the user page, not the permissions of the logged in user. So the moderator should be able to see and edit these category notification settings.

##Editing user’s preferences as admin

Screen Shot 2015-02-24 at 2.24.26 PM.png737×432 26.6 KB

##Editing user’s preferences as moderator with limited access to categories

Screen Shot 2015-02-24 at 2.19.30 PM.png768×357 21.6 KB

Confirmed on my dev setup.

I think the only possible fix to this involves revealing the fact that there are categories that exist but you don’t have access to.

which shouldn’t be an issue if you’re a moderator trusted with the power to edit a user’s preferences.

Moderators do not have access to these and should not be able to see them, so your thesis is incorrect…

The issue with saving is legit, but the fix may be complex. I suggest avoiding these edits for now.

Why are moderators allowed to edit user preferences in the first place? That seems like an admin privilege.

I don’t know about others, but on my sites this is not an issue - moderators can know that the categories exist, but shouldn’t be able to see the contents of the ones they don’t have access to.

Agreed … the risk of a moderator simply knowing a category exists is low: moderate probability they find out about it, and trivial impact if they do. (What could they do other than tell other people a secret category exists?)

Also, QFT. I could see allowing them to edit things where someone could put spam links or offensive text, but preferences, no.

To be very clear - what @codinghorror is saying is that until this is resolved, all moderators with limited category permissions should be instructed not to edit preferences of other users at all, to avoid messing up their category notifications.

Could you maybe hide it with CSS?

Not really, once saved, it’ll save everything. It would need to be disabled in code.

Only thing we can do here is completely hide the “watching” etc fields from moderators, I think it is the most correct fix anyway.

OK I’d appreciate it if you could make this fix. Thanks!

Nice “I talk in rainbows” speech bubble on your discourse staff avatars, btw.

Fixed per:

https://github.com/discourse/discourse/commit/e050308f3655b83285a1f41652e894583aa6a354

image.png614×644 13.7 KB