Pages shown to non-logged in users on private forum

I’ve found that some pages – Privacy and Terms of Service at least – are displayed to anyone hitting the URLs on a private forum, even if those users are not logged in. Any footer being displayed across the site is also displayed on such pages, and on the “no such page exists or may be private” page that can also be reached by non-logged in users. I’m interested in why these situations are not viewed as security lapses? Privacy policies and terms of service (and footer information) can easily contain confidential or proprietary references that should not be available to non-users of the site – that is, users who are not logged in on a site where login is required.

Question for you: without being able to see the privacy policy and terms of service, why would anyone sign up for an account?

1 Like

I’m talking about “closed” communities where there isn’t even a register button on the site. All signups are by invitation or direct admin communications and actions, and those aspects (privacy, TOS, etc.) would be referenced as part of the invitations or other direct communications (and would of course later also be available to reference by logged in users). There is absolutely no reason for persons not in the community and not being invited to the community to have access to any of this material.

For that Discourse would need a ‘third’ security level for users - invited but not members. Without it there’s no way surely to have a “pre-membership but private viewing” of T&C’s and the Privacy Policy. I’m not aware of this feature but perhaps staff can enlighten us.

I don’t believe that’s necessary. The manner in which a site operator chooses to “preview” such items to prospective users need not involve their initially seeing them on the site at all. In fact it is not uncommon for such matters to be part of invitation materials in the first place in some contexts.

The security is surely account based.

If you invite someone, then by definition they don’t yet have an account until they positively respond to your invite and fill in their details and for example, choose their username.

So you can’t use account security to make those pages private.

There should be an admin option that specifies no pages except login (or a bare 404 page as appropriate) are displayed to non-logged in users. This is a basic security policy matter.

You could replace those pages with something like nothing.

1 Like

How would you recommend doing that? Ideally I’d like to return 404 for those pages. Thanks.