When the URL of a topic created as a result of receiving a mail to a group custom email is linked from a private topic (with [comment](url-of-the-message) ) , all comments from the private topic are mailed to the sender from that point.
Here are the steps to reproduce the problem:
Create a private category
Create the group foo including user bar
Set Custom incoming email address to something@someone.com in the Group settings of the group foo
Create a topic in a private category and include a link to the topic created from the mail sent by newemail@some.com (i.e. [comment](url-of-the-message))
Check newemail@some.com inbox and see that they received a copy of the private topic message (they did not just receive a notification, they received the actual content of the message of the private topic).
The discourse instance is not very busy and the users who may be impacted by this behavior have been warned. Although it is possible that an upgrade solves this problem, I refrained from upgrading in case I’m asked for details to reproduce this behavior.
It doesn’t seem to be as serious as I thought. I can’t reproduce it with tests-passed and default settings. I’m going to take a closer look tomorrow.
@hellekin On which version of Discourse are you seeing that problem?
Can you tell me a little bit more about your setup? Did you change any settings that might affect how Discourse sends emails like enabling mailing list mode for everyone or any other setting related to notifications and emails? Could the email come from a plugin?
Ah, I see. I really recommend upgrading to the latest stable (2.1.4) – you are missing out on important security fixes and this problem might be fixed too.
While testing the private ticketing system setting, we have found what looks like a bug (unless we have missed a configuration):
Set a private Discourse instance with a private group that can receive emails from non-registered users (staged).
Send an email as a non-registered user to the group. This will create a message in the group’s inbox.
Create a topic in Discourse (where the staged user cannot access), write something very sensitive (e.g. “And here we go again with this guy and his stupid questions”) and add a link to the message in the private group.
Expected: The staged user doesn’t receive anything, because this is a topic to which they have no access to.
Actually: The staged user receives an email (I guess because of the URL pointing to the message) with the full content of that comment and even the username of the person ho posted it.
I cannot reproduce this when I post in a category that is exclusive to certain members (e.g. the “Staff” category).
But, at least in @icaria36’s case that’s not what happened. The topic was created in the “Site Feedback” category which is visible to everyone. I guess the fact that Discourse sent a notification was unexpected because the forum is configured as login required.
I’m not sure if we should prevent notifications emails to staged users when the forum requires a login (and maybe even is invite_only or requires user approval). I’m on the fence here. The notifications certainly make sense when the forum is public.
@dachary and @hellekin: Can you please verify the permissions of the “private category”? I don’t see a way for a staged user to get a notification unless the user has access to the category.
Indeed it looks like it. The test does not check that the user has been participating in the discussion explicitly (either by personal mention or invitation) nor that – which I guess is our case for the leak – the topic under consideration is in a category restricted to a group (i.e. where everyone does not have see permission). So I guess the test should return false if the user is staged but not in current participants list and not in any of the authorized groups. It might be enough to:
return false if is_staged? && category.read_restricted?
For what is worth, I have been testing in another category (Site Feedback has fixed permissions). Even when the Discourse site is accessible only to logged in users, the staged user got the unexpected notification with the category open to “everyone” and also to TL0. (are staged users supposed to be equivalent to users registered with TL0?)
The staged user didn’t receive any notification with TL1 or above.
In the case of a private forum… Even if I understand @gerhard’s reasoning, I think we can agree that users of a private forum are going to assume that anything they discuss is private and they are going to be surprised if anything they say ends up in the mailbox of a person who hasn’t registered to the site.
Then again, now that we know how to fix the problem (setting category permissions to TL1 should be enough for us), I don’t have strong opinions about how to solve this problem in general.