Silenced user can circumvent it entering anonymous mode

ValdikSS · August 4, 2024, 1:08pm

When the user is silenced, entering anonymous mode allows to post without restrictions.
Discourse 3.3.0.beta6

ValdikSS · August 4, 2024, 1:10pm

Suspending the account which already entered anonymous mode also won’t suspend (or log out) anonymous account.

NateDhaliwal · August 4, 2024, 1:10pm

What TL is the silenced user?

ValdikSS · August 4, 2024, 1:11pm

Just tested on TL=1 test user.

NateDhaliwal · August 4, 2024, 1:11pm

What is the value for the anonymous posting allowed groups setting?

ValdikSS · August 4, 2024, 1:13pm

TL=0, everybody.

NateDhaliwal · August 4, 2024, 1:14pm

Wow, I’m surprised people won’t abuse it.

Anyway, perhaps try limiting it to a specific group which has everyone? Then remove users if you don’t want them to go anonymous mode?
Or, limit it to TL1, and demote this user to TL0?

ValdikSS · August 4, 2024, 1:15pm

Sure, I can solve the issue. I’m reporting the bug in the engine.

NateDhaliwal · August 4, 2024, 1:16pm

I see. I was just providing a workaround.

Jagster · August 4, 2024, 1:26pm

Easier? long term solution would be disabling anonymous mode from silenced users

pangbo · August 5, 2024, 1:02am

I think this issue could be fixed by adding
return if user.silenced? || user.suspended?
to

github.com

discourse/discourse/blob/2b577950af5b24ed0d32eecc4ab6475619998fba/app/services/anonymous_shadow_creator.rb#L25


      
            @user = user
          end
          
          def get_master
            return unless user
            return unless SiteSetting.allow_anonymous_posting
          
            user.master_user
          end
          
          def get
            return unless user
            return unless SiteSetting.allow_anonymous_posting
            return if !user.in_any_groups?(SiteSetting.anonymous_posting_allowed_groups_map)
            return if SiteSetting.must_approve_users? && !user.approved?
          
            shadow = user.shadow_user
          
            if shadow && (shadow.post_count + shadow.topic_count) > 0 && shadow.last_posted_at &&
                 shadow.last_posted_at < SiteSetting.anonymous_account_duration_minutes.minutes.ago
              shadow = nil

and

github.com

discourse/discourse/blob/2b577950af5b24ed0d32eecc4ab6475619998fba/app/serializers/current_user_serializer.rb#L148-L151


      
          def can_post_anonymously
            SiteSetting.allow_anonymous_posting &&
              (is_anonymous || object.in_any_groups?(SiteSetting.anonymous_posting_allowed_groups_map))
          end

By the way, I am curious as to why the permission check for can_post_anonymously is not implemented within the Guardian module.

jrgong · February 7, 2025, 2:43pm

We are experiencing same issue on 3.4.0beta3. Can anyone confirm that it was fixed in 3.4.0beta4?

Jonathan5 · March 26, 2025, 11:24pm

I can confirm that it’s not fixed in 3.5.0.beta2-dev.

Jonathan5 · March 29, 2025, 11:14am

Ideally a user in Anonymous Mode would be subject to all the same restrictions as he would be without being in Anonymous Mode.

sam · March 31, 2025, 5:52am

I think it is fair, @hugh should we put a pr-welcome on this?

hugh · March 31, 2025, 6:07am

Sounds good - tag added!

Also looping @osama in here as he very recently did some work on anonymous mode, so he might have some more immediate insight into this.

Topic		Replies	Views
Anonymous posting not available even when enabled Support anonymous-mode	7	2621	June 23, 2020
Enable and configure anonymous mode Site Management how-to , anonymous-mode	0	7385	June 23, 2020
Anonymous posting -- but retaining original user permissions Feature anonymous-mode	11	1770	December 2, 2021
Anonymous mode not working Bug anonymous-mode	7	709	August 9, 2020
How does anonymous posting work? Support	12	2234	January 15, 2020

Silenced user can circumvent it entering anonymous mode

Related topics