Public ip access only to selected category

In our company Discourse is major communication tool for intranet communication.
Preventing from data leak we are hosting Discource on private network which is accessible only from intranet networks. There is some cases when we will like to gain public access for users, so they can post technical support questions, upload pictures directly from mobile , check PMs and something like this, but we also want to keep private themes in others categories which should be accessible only from company desktop hosts.
My questions are:

  • Is this realizable by creating plugin ?

  • How hard will be to write plugin for fire-walling off certains categories ? (any suggestion for budget

  • Can this be done on proxy layer , hacking ngnx

  • Is there any way to have 2x instance of Discourse and one db so public instance can access only to public category, while private instance can access to all categories ?

  • Any other approach ?

Discourse already has strong access control per-category based on groups.

What would a plugin add? It sounds like you’re reinventing the wheel here.


Plugin will check does user requesting discorce from intranet (private) network or from internet (public) network and allow access secure categories

If you created a plugin, you’d have to get the set of categories right. If you just configure Discourse to enforce those permissions, you’d still have to get the categories right. I’d argue that it’d be harder to get it right with a plugin. Discourse already shows a :lock: next to protected categories.

I have another idea to make this.
Since my discource getting users from my .net app over SSO
My .net app already watching is request public or private.
Two thing that I do not how to make.
Is there a way to my .net app in sso payload active change premisions for user.
It this cloud be done then my site can tell discource, this is unsceure user let him see only public categories.

Also is there a way to push Discourse requesting sso payload more often or every time source IP change on request or just to some how make discource log off user more often so they need to talk with SSO server

Apologies for spaming, but If i did not ask, I will never reailized the way.
My sso site can put members in grup and alos can remove from ir

Specifying group membership

You may specify group membership in your SSO payload using the add_groups and remove_groups attributes.

add_groups is a comma delimited list of group names we will ensure the user is a member of.
remove_groups is a comma delimited list of group names we will ensure the user is not a member of.

Only question I do not know is
How to tell discource to send users to login again.
Is there any settings to change so users are push to sing in again ?

1 Like

There are a few options you have, but the simplest would be to log everyone off once after you implement this.