Quoting a closed topic prefills category in composer that should be off-limits

bfsrcproduc2763 · March 30, 2023, 6:06pm

Explanation

As a regular on the Hopscotch Forum, I have access to most of the categories of topics, but there are some that I can’t create topics in, such as “Announcements” [as I am not a part of the team]. When quoting a post from a topic that had previously been closed, the quote appears in a new topic draft that is automatically set to the category that the closed topic is in. These two facts combine to give users a loophole, permitting them to create topics in categories they shouldn’t normally be able to create them in by simply deleting the quoted post and treating the empty draft as a normal topic draft.

Demonstration

For example, here is an empty topic draft in the Discourse Meta category announcements, which, like the Hopscotch Forum version, is normally off-limits to me.

Comments

While I personally have never seen this exploited, I believe that it already has been done somewhere out there, and that it could potentially be an issue if it happens frequently enough that the leadership team of a smaller forum is overwhelmed.

How to reproduce

Find a closed topic in a category that is off limits
Quote a random post
When the quote appears in a topic draft, delete it
Treat it as a typical topic draft that is empty

JammyDodger · March 30, 2023, 6:49pm

Hello and welcome @bfsrcproduc2763

I’ve just given this a quick runthrough on my test site and while it prefills the category in the composer, on creating the topic it serves a permission pop-up:

Did you manage to publish a topic on your test run?

bfsrcproduc2763 · March 31, 2023, 4:58pm

I didn’t try. The idea here is that it’s off-limits, so I don’t want to break the rules.

JammyDodger · March 31, 2023, 7:58pm

No worries. I think this is working as expected, though I appreciate the category being prefilled could give the wrong impression.

I’ll slip it over into ux