Subcategory does not inherit security settings

Hi :slight_smile:

I created category and on the Security tab changed permissions from everyone to our internal group.

Later I created a subcategory inside. I did not change it’s security settings, i.e. it remains “accessible” by everyone; but of course they cant visit it because it’s parent category is not listed on the front page of the forum, as I thought.

Also I created topics inside this subcategory. A assumed that they will be inaccessible to others. And at first sight it was so. But later my test account received digest email message with that private topics inside. I was shocked. Currently the forum is under construction so nothing bad actually happens…

I investigated this and find out the following:

  1. Subcategory does not inherit security settings of it’s parent. At least a checkbox Inherit should exist, checked by default.
  2. So topics from such an “not closed, not open” subcategories are accessible:
  • in the latest topics list
  • by direct link
  • in email digest

Example screenshot of latest topics:
latest-topics-security

That’s right. Security settings are not inherited by subcategories. You’ll need to adjust those permissions to match the parent if that’s what you want.

4 Likes

Yep, this is by design, and many topics over the matter
https://meta.discourse.org/search?q=category%20inherit&expanded=true

There is some discussion around adding some additional validation ensuring the child category meets the same security permissions as the parent though at Shouldn't a category be the mother of all subcategories?

3 Likes

I believe it is counterintuitive. If you are disabling access to a book, you are disabling all pages, not just the cover.

May be it should be something like this?

  • On subcategory creation: copy security settings of the parent.
  • On changing parent permissions: ask admin if he wants to recursivly iterate over all children and update them.