(Firstly I’m sorry for my previous misunderstandings on here.) So I’m helping out with an older forum I used to moderate. PMs have been globally disabled for users (
enable personal messages is turned off) because it’s a site for younger users. But there seems to be two loopholes:
Data export archive from system. A user exports an archive of their posts and invites others to the PM. I’m not sure if this is still possible to do
’Request membership’ button on groups. This was the more recent of loopholes used after groups were set up.
We discovered this from
/u/system/messages as some of the messages had been either initiated by system or closed by system after reaching max replies.
Is there any other way to completely prevent people from misusing these loopholes?
Some suggestions- Maybe the archive export PM could automatically be closed by system? And maybe the request membership option could be disabled when PMs are disabled?
Yeah … if
enable_personal_messages is off we should disable all
invite functionality for all non-staff.
Very interesting people found these abuse vectors.
@techAPJ can you add to your list?
So much this! I’m stunned.
Oh yes, fascinating. Thanks for bringing this to our attention, we will get those loopholes closed straight away.
I am unable to repro this on latest version. As a non-staff user I was not able to invite other users.
Okay so in this case if a group has “Allow users to send membership requests to group owners” enabled in group setting then pressing on + Request button initiates a PM with group owner. No other user can be invited by non-staff user (who requested access).
Just to confirm @sam the group + Request button should be hidden if
enable_personal_messages is disabled (regardless of group “Allow users to send membership requests to group owners” setting enabled)?
Were you TL2, you must be TL2 to earn invite privilege.
Yes, tested on local as TL3 non-staff user.
What version of Discourse are you on @tmoko?
+ Request should still work, but you should not be allowed to invite users to the message.
Okay, that is already the case. Verified as TL3 non-staff user on latest version.
We’re currently on 2.3.0beta5.
Okay I’ve had a closer look and this seems to be the case from the messages (I thought multiple users were in a few but it was discobot). I guess I was super alarmed at first sorry, here’s what I realise after:
the ones inviting other people to the data export seem to have been initiated around 2016-2017, I can’t find any recent ones using this, though people were still able to converse with this (latest post November 2018)
as for initiating messages via the request memberships button, the most recent initiated I’ve come across was started 8 days ago, conversation still continued 4 days ago.
it’s still a concern since two people were still able to have a private conversation using this. If our only option though is to not use groups then that’s okay, I’ll let them know it should be disabled. I didn’t realise this would be a risk if users were allowed to be group owners though (didn’t know request membership created a PM). perhaps I should have been more careful, though extremely frustrating that this was exploited so much.
people are still using these PMs, that’s something for us to address. though it’s difficult to visit PMs from checking
/u/user/messages to close old PMs/check that no one is misusing old PMs.
Thanks for looking into this.
So this is largely because the users in question were group owners?
Yes, in this case. We didn’t know unfortunately. I feel awful seeing people so ashamed about their PMs.
Is it possible for some automatic way (e.g. command line) to close all currently open PMs? If it is, I’ll ask the other staff to contact support since our forum is hosted by discourse.org
We can help you with a data explorer query.
@rishabh can you help?
You will still have to close manually but at least it should be easy to find
Here’s a Data Explorer query that will list all open PMs - sorted by recent activity
Once you run it, you’ll see a list of PMs sorted by
topic.updated_at along with the reply count and the original poster info. You can click on each link and close the PMs manually.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.