Subcategories do not inherit permissions from parent category


(Christopher Batchelder) #21

A very good point. And good to hear “out loud”. This is the right way for me to be thinking about confidentiality and privacy.


#22

I have used private categories with “less private” subcategories, so that a group can work in their space and publish things to a larger public. I guess this line of work will become obsolete by this change. So I should let users know that when they want to publish something, they need to move it to another, more public category. But then, how do they find their common work on this? I suppose they need to maintain a “publications” topic where they link the ‘more public’ topics. Any thoughts?


(Sam Saffron) #23

I am reviewing FIX: validate parent category/subcategories permissions by majakomel · Pull Request #6877 · discourse/discourse · GitHub by @maja.

The particular condition we are protecting against is:

- category (authors: read)
-    subcategory (pilots: read)

What this means is that pilots are not allowed to see anything in the category yet have been granted permissions in the subcategory so something is fishy :fish:

The condition:

- category (authors: read)
-    subcategory (pilots: read, authors: write)

Is still :ok: after this new validation.

The tricky thing though :llama: is that we no longer will allow:

- category (trust_level_3: read)
-   subcategory (trust_level_4: write)

This particular edge case gives me pause, there is an easy enough work around … you would have to explicitly change

- category (trust_level_3: read, trust_level_4: read)

Given the OP is in a pretty bad state I say we see how the new restriction shakes up. FYI @HAWK @jomaxro