Non admin has access to closed category

(Codecademy ) #1

So I have a closed category for our forum moderators.

A non moderator was able to comment on a thread in our category that’s locked. I looked at the category permissions and confirmed he does not meet any of those, check this users badges, groups and user level - nothing!

I am super confused. I impersonated him and was able to see the closed thread with direct link, see below:

He can’t see the category - that’s not showing up, but I am wondering how he got here?

Thank you.

(Codecademy ) #2

You can’t see it, but he was able to view and comment!

(Codecademy ) #3

Seems anyone with the direct link can see it! WITHOUT being logged in!?

(Codecademy ) #4

Ok – so found the problem.

Maybe this is a bug? That post was under a child category in a private parent category. But when I created the child category within the private parent category, it did not keep the permissions.

(Codecademy ) #5

I am still wondering also, how he found it. The category was not listed in the drop down for him…(when it was “everyone” can see/reply…)

(Felix Freiberger) #6

This is intended behavior – permissions do not inherit. (I don’t like that – I’d prefer it if the permissions of subcategories were always at least as restrictive as the parent category.)

He could have received a link to the topic, or maybe he has guessed the topic ID?

(Codecademy ) #7

+1 on that! I totally agree.

Yeah, not sure on the second one either…Thanks!

(Joshua Rosenfeld) #8

I would agree, but only if the permissions default to that level. I would want the ability to override the permissions to make them less restrictive if I wanted to.

(Jeff Atwood) #9

There is no inheritance of category permissions in Discourse.