New user image limits ignored for oneboxed URLs

The two image limit settings on Discourse:

  • newuser max images
  • min trust to post images

are not respected by URLs being automatically converted to embeds. If I post the URL to an image like so:

I can bypass the above two settings, so long as I have permission to post URLs. Expected behavior is that links aren’t automatically embedded if my TL is below min trust to post images, and after n=newuser max images, links stop being automatically embedded as images (display blue warning so users don’t think something is broken)


This is not a bug; you’re referring to two different things.

Should we have a limit on onebox embeds for new users?

Yes, with our use case being we don’t want users to be able to embed/onebox explicit images in their posts. It’s less bad if they link it, as then users have to go off-site to see the inappropriate content, and it’s not displayed on an official domain owned by us.

Why not blacklist the problem remote domain(s) in relevant oneboxing site settings?

It’s unlikely that it will be a specific domain. Probable case is that user uploads something inappropriate to Imgur or some other hosting site that we want to allow for TL1+ users, and then links that in their post.


Hmm, what do you think @sam is it worth restricting all oneboxes for TL0 users? Is that even possible?

1 Like

Not sure about restricting all oneboxes, but having them behind a site setting could be useful.

I don’t think we’ve ever experienced this on meta, but I don’t want to have to rebake TL0 posts with a link just to trigger the oneboxing…


1 Like