Staged users getting user_linked emails

I noticed that staged users are being sent user_linked email notifications. In my use case, I’m using the mailing list mode to archive emails to external parties. When someone links to a mail/post by an external (staged) user from another topic, this staged user will receive an email notification including the text of the post! This is obviously not what I want, and could even be harmful!

The following message suggests that this is a bug:

If this is not a bug, is there any way to disable this behavior?

2 Likes

Hmm. Can we repro this @tshenry?

1 Like

It appears to be possible to prevent these emails being sent by setting Send me an email when someone quotes me, replies to my post, mentions my @username, or invites me to a topic to never on the staged users’ preferences page.

Perhaps Discourse could set this to never for all new staged user accounts? Or at least make this configurable.

Note that this is a private forum that requires login and the categories aren’t private since there’s no need for that. From Private category comments exposed via email - #13 by gerhard

I’m not sure if we should prevent notifications emails to staged users when the forum requires a login (and maybe even is invite_only or requires user approval). I’m on the fence here. The notifications certainly make sense when the forum is public.

Still, for the private forum use case, it would be very useful being able to disable this behavior.

Alternatively, I can alter the permissions for all categories to require trust level 1 to address this issue. But then a padlock appears next to all category names. Perhaps that can be hidden somehow?

Yes, you can hide the lock using CSS:

.d-icon-lock {
    display: none;
}
4 Likes

Since my forum has a fixed set of users, I’m considering disabling the notification emails for all newly created user accounts (including staged user accounts). I see that when I set the default email level setting to never, I can choose to only have this affect new users, so email notification settings for existing users aren’t affected.

See also: Discourse disable emails when someone replies etc

Here’s a basic repro:

  1. Site is login required, categories are not private
  2. Send PM to an email that is not associated with an account yet to create a staged user
  3. Have that staged user reply to the PM by email
  4. Quote the staged user’s emailed PM reply in a separate topic on the forum
  5. Link to the staged user’s emailed PM reply in a separate topic on the forum
  6. No user_linked email notifications were sent to the staged user There was a delay, but the staged user did end up receiving notification emails for both.

Thoughts @codinghorror?

3 Likes

Definite bug. Can we schedule a fix tomorrow and backport unless it’s super hard @eviltrout? I don’t think staged users should get this at all.

3 Likes

The scenario you describe is different from the one I had, but the issue might have the same root cause:

  1. Site is login required, categories are not private
  2. Set a custom incoming email address for category A and accept emails from anonymous users with no accounts (additionally, I also set Category mirrors a mailing list)
  3. An email is sent to that email address by person X that doesn’t have an account
    • a staged user is created
    • a new topic is created in category A
  4. Registered user Y creates a new topic in category B linking to the topic in category A
  5. Person X receives a user_linked email notification

I understand that this is the desired behavior for a public Discourse (not requiring login). However, for a private Discourse, this is likely to be harmful. Perhaps make this behavior depend on the login required setting?

Thank you for looking into this!

1 Like

Fixed via:

https://github.com/discourse/discourse/commit/04b431b6a449648bb665ec50c6fab0abdd2fb521

and backported to stable: https://github.com/discourse/discourse/commit/6b20d5233868478baca32dc2f6048f2ceba7cb49

6 Likes

Thank you for this report @brechtm – it is now fixed. Sorry about that.

4 Likes

I verified on my end and the issue seems to be resolved indeed. Thanks! No need to be sorry :slight_smile:

5 Likes