Quoting a closed topic prefills category in composer that should be off-limits

Explanation

As a regular on the Hopscotch Forum, I have access to most of the categories of topics, but there are some that I can’t create topics in, such as “Announcements” [as I am not a part of the team]. When quoting a post from a topic that had previously been closed, the quote appears in a new topic draft that is automatically set to the category that the closed topic is in. These two facts combine to give users a loophole, permitting them to create topics in categories they shouldn’t normally be able to create them in by simply deleting the quoted post and treating the empty draft as a normal topic draft.

Demonstration

For example, here is an empty topic draft in the Discourse Meta category announcements, which, like the Hopscotch Forum version, is normally off-limits to me.

Comments

While I personally have never seen this exploited, I believe that it already has been done somewhere out there, and that it could potentially be an issue if it happens frequently enough that the leadership team of a smaller forum is overwhelmed.

How to reproduce

  1. Find a closed topic in a category that is off limits
  2. Quote a random post
  3. When the quote appears in a topic draft, delete it
  4. Treat it as a typical topic draft that is empty
2 Likes

Hello and welcome @bfsrcproduc2763 :slight_smile:

I’ve just given this a quick runthrough on my test site and while it prefills the category in the composer, on creating the topic it serves a permission pop-up:

Did you manage to publish a topic on your test run?

9 Likes

I didn’t try. The idea here is that it’s off-limits, so I don’t want to break the rules.

2 Likes

No worries. :slight_smile: I think this is working as expected, though I appreciate the category being prefilled could give the wrong impression.

I’ll slip it over into ux :+1:

2 Likes

I wanted to report the same issue today. It’s quite confusing that a category is pre-selected that the user is prohibited from posting in. The error message does not give you any hind why there is an error. So you need to have to knowledge of the categories and their permissions to know why posting the topic failed.
It would be more user-friendly if the error message could prompt you to select a different category or if the category would not be pre-filled when the user is not allowed to post there.