New users are being granted wrong trust level

I’m running a Discourse for approved users only. When approving new signups, I’ve noticed that every so often one of their profiles shows that they have tl1, despite not yet having been approved or interacting with the site.

In settings, both default trust level and default invitee trust level are both set to zero.

Any ideas?

Can we repro this @tshenry?

I am seeing some weird behavior on my test site where it looks like a previously reviewed user is associated with an approval reviewable despite the reviewable actually applying to a brand new user. I’m going to look into this deeper next week, but my suspicion is that @paulrudy it hitting this bug and viewing an already approved user who has gained TL1.

Thanks, but I’m 99% certain the users haven’t already been approved.

Sorry for the delay in following up on this. I was able to do some more testing, but am struggling to reproduce your specific issue. I have a several questions:

1. Are invites involved at all on your site, or are users signing up manually using the “Sign Up” button? If invites are involved, are you specifying group membership with invites?
2. Do you have any groups that have this setting configured?
   
   

   Screen Shot 2020-11-03 at 4.21.26 PM1636×236 11.6 KB
3. Do any of your groups have this setting configured:
   
   

   Screen Shot 2020-11-03 at 4.24.53 PM960×204 7.08 KB
4. Are there any patterns you can find with the affected users?
5. Where are you seeing that they are TL1? Are you selecting the username from the reviewable and looking at their user-admin page?
6. Are you using and unofficial plugins and if so, what are they?

If you can answer the above and/or come up with consistent reproduction steps, that would be super helpful. Something that happens “every so often” is going to be tricky to track down without more to go on.

No problem, and thanks for looking into it. I understand that a sporadic issue is tricky to find. Signups have slowed down for the moment, so I haven’t encountered the problem again yet.

In answer to your questions:

1. Invites are allowed—non-staff invites have to be approved. Default invitee trust level is 0. It’s possible but unlikely that the affected people were invited before the default invitee trust level was changed to 0, but unfortunately I can’t check that, because I don’t have a record of which users were affected.

2. No

3. No

4. Sorry, no pattern. I’ll start keeping track of which users it happens with from here on out.

5. Yes, exactly.

6. discourse-assign, discourse-calendar, custom trust level, discourse-elections, discourse-knowledge-explorer, discourse-locations, discourse-policy, discourse-quick-messages, discourse-saved-searches, discourse-styleguide, discourse-tooltips, discourse-translator, discourse-user-notes, discourse-voting, docker_manager, styleguide

Sorry I don’t have more useful info. I’ll update if I discover any pattern.

@tshenry I found one more example of an unapproved user with tl1. I can’t say for certain whether they were invited or not, and I also can’t say for certain when I changed the default invitee trust level to zero. But there’s an additional weirdness—this user’s profile has a profile photo, even though they’ve never been approved. We don’t have SSO enabled, so how did they get a profile picture?

Ok, let me know if you find any new cases you can say were undoubtedly from an uninvited user and after you changed the default invitee trust level to zero.

They likely have a Gravatar. Discourse automatically pulls in a profile photo from the Gravatar service via the automatically download gravatars site setting.

Ah ok, gotcha re gravatars.

I’ll follow up if I get clearer info on the trust level thing, thank you.