New user image limits ignored for oneboxed URLs


(Drew) #1

The two image limit settings on Discourse:

  • newuser max images
  • min trust to post images

are not respected by URLs being automatically converted to embeds. If I post the URL to an image like so:

I can bypass the above two settings, so long as I have permission to post URLs. Expected behavior is that links aren’t automatically embedded if my TL is below min trust to post images, and after n=newuser max images, links stop being automatically embedded as images (display blue warning so users don’t think something is broken)


(Jeff Atwood) #2

This is not a bug; you’re referring to two different things.

Should we have a limit on onebox embeds for new users?


(Drew) #3

Yes, with our use case being we don’t want users to be able to embed/onebox explicit images in their posts. It’s less bad if they link it, as then users have to go off-site to see the inappropriate content, and it’s not displayed on an official domain owned by us.


(Jeff Atwood) #4

Why not blacklist the problem remote domain(s) in relevant oneboxing site settings?


(Drew) #5

It’s unlikely that it will be a specific domain. Probable case is that user uploads something inappropriate to Imgur or some other hosting site that we want to allow for TL1+ users, and then links that in their post.


(Jeff Atwood) #6

Hmm, what do you think @sam is it worth restricting all oneboxes for TL0 users? Is that even possible?


(Régis Hanol) #7

Not sure about restricting all oneboxes, but having them behind a site setting could be useful.

I don’t think we’ve ever experienced this on meta, but I don’t want to have to rebake TL0 posts with a link just to trigger the oneboxing…

Yes.