Private category comments exposed via email

Hi,

Discourse version: v2.1.0.beta3 +21

When the URL of a topic created as a result of receiving a mail to a group custom email is linked from a private topic (with [comment](url-of-the-message) ) , all comments from the private topic are mailed to the sender from that point.

Here are the steps to reproduce the problem:

  • Create a private category
  • Create the group foo including user bar
  • Set Custom incoming email address to something@someone.com in the Group settings of the group foo
  • From an email (newemail@some.com) that is not already registered in discourse, send a mail to something@someone.com
  • Login as user bar
  • Create a topic in a private category and include a link to the topic created from the mail sent by newemail@some.com (i.e. [comment](url-of-the-message))
  • Check newemail@some.com inbox and see that they received a copy of the private topic message (they did not just receive a notification, they received the actual content of the message of the private topic).

The discourse instance is not very busy and the users who may be impacted by this behavior have been warned. Although it is possible that an upgrade solves this problem, I refrained from upgrading in case I’m asked for details to reproduce this behavior.

3 Likes

So, you’re saying a staged user received a notification of one of their mail they sent to a group was linked in a category they don’t have access?

1 Like

I’m saying a staged user received, via email, the content of the private comment in which the topic created from their email was linked.

1 Like

@gerhard Can you have a look?

3 Likes

Linking to PM breaches privacy? is related (to the same issue @dachary reported) so the topics can be merged, or mine removed.

It doesn’t seem to be as serious as I thought. I can’t reproduce it with tests-passed and default settings. I’m going to take a closer look tomorrow.

@hellekin On which version of Discourse are you seeing that problem?

Can you tell me a little bit more about your setup? Did you change any settings that might affect how Discourse sends emails like enabling mailing list mode for everyone or any other setting related to notifications and emails? Could the email come from a plugin?

1 Like

It’s 2.1.0.beta3. (ping @dachary)

Only email_in and reply_by_email are set. Notification and Contact email are the same.

No I don’t think so. Only 4 plugins: docker, chat integration, locations and events.

Ah, I see. I really recommend upgrading to the latest stable (2.1.4) – you are missing out on important security fixes and this problem might be fixed too.

10 Likes

After an upgrade to [v2.2.0.beta5 +117] I am still able to reproduce the problem, following the steps described in the topic.

1 Like

While testing the private ticketing system setting, we have found what looks like a bug (unless we have missed a configuration):

  1. Set a private Discourse instance with a private group that can receive emails from non-registered users (staged).
  2. Send an email as a non-registered user to the group. This will create a message in the group’s inbox.
  3. Create a topic in Discourse (where the staged user cannot access), write something very sensitive (e.g. “And here we go again with this guy and his stupid questions”) :slight_smile: and add a link to the message in the private group.

Expected: The staged user doesn’t receive anything, because this is a topic to which they have no access to.

Actually: The staged user receives an email (I guess because of the URL pointing to the message) with the full content of that comment and even the username of the person ho posted it.

In a real scenario this can go really wrong.

4 Likes

I wasn’t able to reproduce this problem the last time I tried. I’ll give it another try.

Can you tell me a little bit more about your Discourse instance?

  • What version are you using?
  • Which plugins have you installed?
  • Which type of email does the staged user receive? You should see that in /admin/email/sent
3 Likes

I cannot reproduce this when I post in a category that is exclusive to certain members (e.g. the “Staff” category).

But, at least in @icaria36’s case that’s not what happened. The topic was created in the “Site Feedback” category which is visible to everyone. I guess the fact that Discourse sent a notification was unexpected because the forum is configured as login required.

I’m not sure if we should prevent notifications emails to staged users when the forum requires a login (and maybe even is invite_only or requires user approval). I’m on the fence here. The notifications certainly make sense when the forum is public.

@dachary and @hellekin: Can you please verify the permissions of the “private category”? I don’t see a way for a staged user to get a notification unless the user has access to the category.

4 Likes

Looking at the Settings of the private category I see the following is checked:

Accept emails from anonymous users with no accounts

could this be interpreted as an implicit permission to also read the content of the category?

3 Likes

I wanted to say no, but after checking the code, it looks like that’s what’s happening.

https://github.com/discourse/discourse/blob/1f12a377fabace8aafc780dc9b6818f1e017b64f/lib/guardian/category_guardian.rb#L51-L51

That might be an unintentional side effect of this very old commit. :man_shrugging:
https://github.com/discourse/discourse/commit/415efd0f5b92f73a44cc994d80581ea6f7d5b0bd

To me it feels like a bug. At least it’s a very unexpected behavior.

4 Likes

Indeed it looks like it. The test does not check that the user has been participating in the discussion explicitly (either by personal mention or invitation) nor that – which I guess is our case for the leak – the topic under consideration is in a category restricted to a group (i.e. where everyone does not have see permission). So I guess the test should return false if the user is staged but not in current participants list and not in any of the authorized groups. It might be enough to:

return false if is_staged? && category.read_restricted?
1 Like

For what is worth, I have been testing in another category (Site Feedback has fixed permissions). Even when the Discourse site is accessible only to logged in users, the staged user got the unexpected notification with the category open to “everyone” and also to TL0. (are staged users supposed to be equivalent to users registered with TL0?)

The staged user didn’t receive any notification with TL1 or above.

In the case of a private forum… Even if I understand @gerhard’s reasoning, I think we can agree that users of a private forum are going to assume that anything they discuss is private and they are going to be surprised if anything they say ends up in the mailbox of a person who hasn’t registered to the site.

Then again, now that we know how to fix the problem (setting category permissions to TL1 should be enough for us), I don’t have strong opinions about how to solve this problem in general.

1 Like

Should be fixed on latest. Please flag to reopen if you can still reproduce the issue.

6 Likes