We’re having a privacy problem with moderators getting access to messages they shouldn’t be able to access.
As far as I can tell, Discourse has two design goals that come into play here:
- Moderators aren’t exempt from permission checks and can only read messages they are invited two.
- When moderators use their powers, any action they take is logged and can be inspected by any staff member.
Sometimes, these are in conflict, e.g. when a moderator edits another users post in a message with them. In these cases, Discourse prioritizes 
: The edited users’ post is revealed to all staff in the staff action logs.
While I already disagree with the decision to prioritize , this has corner cases that I think are definitely undesirable, bordering on a bug. The biggest one we found: Moderators can currently read every single message that contains a link to an external image, because @system downloads the image, edits the post, and this is added to staff action logs.
I’m not sure what the right course of action is here. Make staff action log access for moderators configurable? Do not allow to view the post for staff action log entries from @system? Make the view post feature generally respect post permissions?
Either way, I hope something can change here, because we’re currently being forced to block access to the staff action log API on the Nginx level.
