Secured category details leaked by email

Private Discourse instance, sending email via mailgun. 2.4b1.

Among various group-secured categories:

  • CategoryA secured by GroupA
  • CategoryB secured by GroupB

There are also two users:

  • User1

    • is a member of GroupA.
  • User2

    • is a member of GroupA and GroupB

Neither user has visited the site in over 24 hours. Both have notifications set for all new posts in the categories they have access to.

A new topic was published, initially into CategoryA. It was quickly recategorized to CategoryB.

Several hours later upon checking the logs at MailGun, I can see that both User1 and User2 received email notifications of the new topic, but the title of the email tags said topic as being in CategoryB, which User2 had no prior knowledge to the existence of.

email time window mins is set to 5 minutes, the post was recategorized long before that time had passed. The note below that field says Wait (n) minutes before sending any notification emails, to give users a chance to edit and finalize their posts.

It seems like there’s something up with the logic for email notifications, the post was moved seconds after being published, the emails prove that it was recategorized before they were sent. Email was sent from a category which the user didn’t have knowledge of or access to, and ultimately information was exposed to the wrong party.

Worst case I would expect the email to attribute the CategoryA which User1 had access to, although this would still be undesirable if the topic was moved back out of that category before an email could be sent. Ideally this would be enumerated when the email was due to be sent, which would protect against human error and have resulted in no leakage whatsoever.

3 Likes

Thanks for reporting. It’s fixed in FIX: Don't send notification email when user isn't allowed to see topic · discourse/discourse@d513c28 · GitHub and back ported to beta / stable.

11 Likes