Silenced user can circumvent it entering anonymous mode

ValdikSS · August 4, 2024, 1:08pm

When the user is silenced, entering anonymous mode allows to post without restrictions.
Discourse 3.3.0.beta6

ValdikSS · August 4, 2024, 1:10pm

Suspending the account which already entered anonymous mode also won’t suspend (or log out) anonymous account.

NateDhaliwal · August 4, 2024, 1:10pm

What TL is the silenced user?

ValdikSS · August 4, 2024, 1:11pm

Just tested on TL=1 test user.

NateDhaliwal · August 4, 2024, 1:11pm

What is the value for the anonymous posting allowed groups setting?

ValdikSS · August 4, 2024, 1:13pm

TL=0, everybody.

NateDhaliwal · August 4, 2024, 1:14pm

Wow, I’m surprised people won’t abuse it.

Anyway, perhaps try limiting it to a specific group which has everyone? Then remove users if you don’t want them to go anonymous mode?
Or, limit it to TL1, and demote this user to TL0?

ValdikSS · August 4, 2024, 1:15pm

Sure, I can solve the issue. I’m reporting the bug in the engine.

NateDhaliwal · August 4, 2024, 1:16pm

I see. I was just providing a workaround.

Jagster · August 4, 2024, 1:26pm

Easier? long term solution would be disabling anonymous mode from silenced users

pangbo · August 5, 2024, 1:02am

I think this issue could be fixed by adding
return if user.silenced? || user.suspended?
to

github.com

discourse/discourse/blob/2b577950af5b24ed0d32eecc4ab6475619998fba/app/services/anonymous_shadow_creator.rb#L25


      
            @user = user
          end
          
          def get_master
            return unless user
            return unless SiteSetting.allow_anonymous_posting
          
            user.master_user
          end
          
          def get
            return unless user
            return unless SiteSetting.allow_anonymous_posting
            return if !user.in_any_groups?(SiteSetting.anonymous_posting_allowed_groups_map)
            return if SiteSetting.must_approve_users? && !user.approved?
          
            shadow = user.shadow_user
          
            if shadow && (shadow.post_count + shadow.topic_count) > 0 && shadow.last_posted_at &&
                 shadow.last_posted_at < SiteSetting.anonymous_account_duration_minutes.minutes.ago
              shadow = nil

and

github.com

discourse/discourse/blob/2b577950af5b24ed0d32eecc4ab6475619998fba/app/serializers/current_user_serializer.rb#L148-L151


      
          def can_post_anonymously
            SiteSetting.allow_anonymous_posting &&
              (is_anonymous || object.in_any_groups?(SiteSetting.anonymous_posting_allowed_groups_map))
          end

By the way, I am curious as to why the permission check for can_post_anonymously is not implemented within the Guardian module.

Topic		Replies	Views
How to enable anonymous posting on hosted site? Support	2	765	June 4, 2020
Anonymous mode not working Bug anonymous-mode	7	708	August 9, 2020
Anonymous reply Support	2	453	June 28, 2022
Post without signup? Feature	14	5084	April 27, 2020
How does anonymous posting work? Support	12	2201	January 15, 2020

Silenced user can circumvent it entering anonymous mode

Related topics