Moderators reading messages in Staff Action Logs

We’re having a privacy problem with moderators getting access to messages they shouldn’t be able to access.

As far as I can tell, Discourse has two design goals that come into play here:

  1. Moderators aren’t exempt from permission checks and can only read messages they are invited two.
  2. When moderators use their powers, any action they take is logged and can be inspected by any staff member.

Sometimes, these are in conflict, e.g. when a moderator edits another users post in a message with them. In these cases, Discourse prioritizes :two:: The edited users’ post is revealed to all staff in the staff action logs.

While I already disagree with the decision to prioritize :two:, this has corner cases that I think are definitely undesirable, bordering on a #bug. The biggest one we found: Moderators can currently read every single message that contains a link to an external image, because @system downloads the image, edits the post, and this is added to staff action logs.

I’m not sure what the right course of action is here. Make staff action log access for moderators configurable? Do not allow to view the post for staff action log entries from @system? Make the view post feature generally respect post permissions?

Either way, I hope something can change here, because we’re currently being forced to block access to the staff action log API on the Nginx level.


I don’t think those edits should be logged.

@david can you make sure we don’t log those very specific edits from the @system user? (and remove the existing ones)


This is done in

Note that moderators can still see logs for private messages that are edited by someone other than the author.

This is tricky to automate - we don’t have any way of knowing whether the existing logs are from “pull hotlinked images”, or have been edited as the system user via the API. @fefrei if you want to wipe the old logs for all system edits on your site, you could run something like this on the console:

UserHistory.where(action: UserHistory.actions[:post_edit], acting_user: Discourse.system_user).destroy_all

Great, thank you! :heart: