Redirect to protected category after login

I’ve been searching around and have found some related topics, but mostly with regards to SSO, which we don’t have set up.

We have standard Discourse authentication and also authentication via the OAuth2 plugin.
We have a few categories that require the user to be in a specific user group.

If we create a link for an unauthenticated user to the protected category (who is set up in the proper group), they get the normal 404/Oops page. They have to then click out, log in, and then browse their way back to that protected category.

Is there a way to either link to the /login page with a provided redirect url to that hidden category, or change a setting to prompt for login on that protected category?

Thanks in advance …

1 Like

The difficulty is that doing anything else reveals the presence of the secret category.

The traditional advice here is to edit the copy on the 404 page to indicate the user may need to log in to see the content.

3 Likes

Understood – thanks!

This has come up enough that maybe we should consider an optional site setting that relaxes security on the 404 page @eviltrout … so when as an anonymous user you click on

http://discourse.example/com/t/topic-in-secret-category

you get

Sorry, you’ll need to log in to see that topic

versus

Oops! That page doesn’t exist or is private.

(This could be extended to indicate which group people would need access to, for logged in users?)

What do you think Robin?

5 Likes

I think this is a great idea. For many kinds of forums identifying that something is there is not a security hole and would really improve accessibility.

The challenge here is really naming the site setting properly and explaining what it does. I’ve done my best below but would not be against edits.

Here’s a mini spec:

  • Add a new site setting detailed_404, default false. “Provides more details to users about why they can’t access a particular topic. NOTE: This is less secure because users will know if a URL has a valid topic or not.”

  • When enabled, In the topic controller, if the guardian check fails, return a JSON object with details about why it failed.

  • In the front end application use these details to display an appropriate error message:

    • If anonymous: “Sorry, you’ll need to log in to see that topic”

    • If logged in:

      • If the topic is restricted to one group (excluding staff groups): “This topic is restricted to GROUP_NAME.” and include the Request Access button.

      • If the topic is restricted to many groups display a generic message: “You don’t have access to this topic. Please reach out to whomever provided you with the link to request access.”

6 Likes

@udan11 can you add that to your list after your work on the encryption plugin?

3 Likes

I think detailed_404 would maybe be better and more succinct?

3 Likes

Sure I’ve updated the post.

4 Likes