Security permissions and messages displayed on group url


(Eric Vantillard) #1

I think it’s a bug.

Scenario

Context

  • We have a group named restauration with users evantill and user2

  • We have a category named restauration with permissions only for users of the restauration group

  • We have an other group CE13 with users evantill and user3

  • We have a category named CE13 with permissions only for users of the CE13 group

Usage

when going to the group url https://discourse.sophiebarat.fr/groups/restauration we will have all messages from any users in this group including messages from other categories.

In our case, user user2 have no permissions on category CE13 but it will see all messages from user evantill including messages in the CE13 category.

Screenshot


(Kane York) #2

To clarify: Are you logged in as user2 when you took that screenshot?


(Eric Vantillard) #3

yes the screenshot is from user2.

Note: In my screenshots user2 is the same as user correspondants_restauration


(cpradio) #4

We don’t seem to have this problem and I couldn’t recreate it on my dev environment. Are you sure your settings are correct on the category?


(Eric Vantillard) #5

let me double check and give you some screenshot :

group_restauration_members

group_ce1_3_members

ce1_3_category

restauration_category


(Eric Vantillard) #6

version of our discourse is 1.2.0.beta1


(James Milligan) #7

I couldn’t replicate this, but I might have misinterpreted your scenario.

Restricted category that only a particular group has access to.

Another user who isn’t in that group (and therefore shouldn’t be able to see posts in that category) goes to /groups/groupname and sees posts from the restricted category?

I couldn’t replicate the above, they only see posts they’re supposed to.


(cpradio) #8

Can you verify the post you are pointing out is really in the CE1_3 category?


(Eric Vantillard) #9

####Categories:

  • category1 is restricted to group1
  • category2 is restricted to group2

####Users

  • user1 is in group group1 and group2
  • user2 is in group group2

####Post

  • user1 from group1 post message1 in category1

###Rading
when user2 go to the url of group group2 it will see message message1
but will receive an access denied when cliking the url to the message message1

Hope this clarify my case.


(cpradio) #10

That will help with testing, that’s for sure :smile: I’ll give it another run down later this week (not sure if I’ll be able to get to it sooner)


(Eric Vantillard) #11

yes the post is in CE1_3 category


(cpradio) #12

I have a feeling it is related to user1 being in both groups. But I’ll have to run a test to be certain (as if that is the case, this is definitely a bug).


(cpradio) #13

Documenting my steps:

  1. As admin create Groups: Group1 and Group2
  2. As admin create Categories: Group1 and Group2
  3. Assign permissions for Category Group1 as Admin -> All, Group1 -> All
  4. Assign permissions for Category Group2 as Admin -> All, Group2 -> All
  5. Create Account groupuser1
  6. As admin assign groupuser1 to Group1 and Group2
  7. Post a Topic as groupuser1 in Category Group1
  8. Post a Topic as groupuser1 in Category Group2
  9. Create Account groupuser2
  10. As admin assign groupuser2 to Group2
  11. Post a Topic as groupuser2 in Category Group2

Expectations:

  1. As groupuser1, when I navigate to Group1’s page, I should see groupuser1’s topics (from Categories Group1 and Group2), total of 2 topics/posts
  2. As groupuser1, when I navigate to Group2’s page, I should see groupuser1’s (from Categories Group1 and Group2) and groupuser2’s (from category Group2) topics, total of 3 topics/posts
  3. As groupuser2, when I navigate to Group1’s page, I should not see groupuser1’s (from Category Group2) topic, total of 1 topic/post
  4. As groupuser2, when I navigate to Group2’s page, I should see groupuser1’s (from Category Group2) and groupuser2’s (from Category Group2) topics, total of 2 topics/posts

Actual:

  1. True
  2. True
  3. True
  4. True

I definitely can’t reproduce the issue being stated. groupuser2 who does not have access to Category Group1, can’t see any posts/topics in category Group1 on either Group page.

All tests passed with their expected outcomes.

Screenshots (with my latest PR to add the Category to each post):

As groupuser1:

Viewing Group1 page

Viewing Group2 page

As groupuser2:

Viewing Group1 page

Viewing Group2 page


(Eric Vantillard) #14

Ok I have followed your procedure on my instance and I have same results as yours.

Comparing your scenario with my case I have spotted the difference : my usergroup2 is also a moderator.

I have definitely not understood what the moderator role is.

Considering usergroup2 is a moderator, is this an expected behavior ?


(James Milligan) #15

Making the more restricted user a moderator does indeed give the results you mentioned.

I’m not sure what the moderator role is supposed to give access to, but to me it seems at odds given you get an access denied/not found message when going to the restricted category. My feeling is that if you haven’t got permission to see the category, you shouldn’t see posts within it - no matter if you’re a moderator or not.

FWIW my permissions are solely “groupname - All” for my restricted category.


(cpradio) #16

Documenting my steps:

  1. As admin create Groups: Group1 and Group2
  2. As admin create Categories: Group1 and Group2
  3. Assign permissions for Category Group1 as Admin -> All, Group1 -> All
  4. Assign permissions for Category Group2 as Admin -> All, Group2 -> All
  5. Create Account groupuser1
  6. As admin assign groupuser1 to Group1 and Group2
  7. Post a Topic as groupuser1 in Category Group1
  8. Post a Topic as groupuser1 in Category Group2
  9. Create Account groupuser2
  10. As admin assign groupuser2 to Group2
  11. Set groupuser2 as a Moderator - new step
  12. Post a Topic as groupuser2 in Category Group2

Expectations:

  1. As groupuser1, when I navigate to Group1’s page, I should see groupuser1’s topics (from Categories Group1 and Group2), total of 2 topics/posts
  2. As groupuser1, when I navigate to Group2’s page, I should see groupuser1’s (from Categories Group1 and Group2) and groupuser2’s (from category Group2) topics, total of 3 topics/posts
  3. As groupuser2, when I navigate to Group1’s page, I should not see groupuser1’s (from Category Group2) topic, total of 1 topic/post
  4. As groupuser2, when I navigate to Group2’s page, I should see groupuser1’s (from Category Group2) and groupuser2’s (from Category Group2) topics, total of 2 topics/posts

Actual:

  1. True
  2. True
  3. False
  4. False

@zogstrip and @codinghorror, there does indeed seem to be a bug here. When I grant groupuser2 moderator abilities, they can see the posts in the Category Group1. When I click on that post off the Group Pages, I get the following error: “Sorry, you don’t have access to that topic!”

So that leads me to believe, I shouldn’t see it on the Group Post Page Listing.

Well spotted @evantill


(Kane York) #17

So it sounds to me like there’s a check that currently says staff? and should be changed to admin?.


(cpradio) #18

I verified that as the case, PR sent.
https://github.com/discourse/discourse/pull/2971


(Dean Taylor) #19

Shouldn’t there be a test for this?


(cpradio) #20

Ideally yes. If I find time, I may try and write one (since one didn’t previously exist).