Non admin has access to closed category

So I have a closed category for our forum moderators.

A non moderator was able to comment on a thread in our category that’s locked. I looked at the category permissions and confirmed he does not meet any of those, check this users badges, groups and user level - nothing!

I am super confused. I impersonated him and was able to see the closed thread with direct link, see below:

He can’t see the category - that’s not showing up, but I am wondering how he got here?

Thank you.

You can’t see it, but he was able to view and comment!

Seems anyone with the direct link can see it! WITHOUT being logged in!?

Ok – so found the problem.

Maybe this is a bug? That post was under a child category in a private parent category. But when I created the child category within the private parent category, it did not keep the permissions.

I am still wondering also, how he found it. The category was not listed in the drop down for him…(when it was “everyone” can see/reply…)

This is intended behavior – permissions do not inherit. (I don’t like that – I’d prefer it if the permissions of subcategories were always at least as restrictive as the parent category.)

He could have received a link to the topic, or maybe he has guessed the topic ID?

3 Likes

+1 on that! I totally agree.

Yeah, not sure on the second one either…Thanks!

I would agree, but only if the permissions default to that level. I would want the ability to override the permissions to make them less restrictive if I wanted to.

1 Like

There is no inheritance of category permissions in Discourse.

1 Like