Subcategory does not inherit security settings

Hi

I created category and on the Security tab changed permissions from everyone to our internal group.

Later I created a subcategory inside. I did not change it’s security settings, i.e. it remains “accessible” by everyone; but of course they cant visit it because it’s parent category is not listed on the front page of the forum, as I thought.

Also I created topics inside this subcategory. A assumed that they will be inaccessible to others. And at first sight it was so. But later my test account received digest email message with that private topics inside. I was shocked. Currently the forum is under construction so nothing bad actually happens…

I investigated this and find out the following:

1. Subcategory does not inherit security settings of it’s parent. At least a checkbox Inherit should exist, checked by default.
2. So topics from such an “not closed, not open” subcategories are accessible:

• in the latest topics list
• by direct link
• in email digest

Example screenshot of latest topics:

That’s right. Security settings are not inherited by subcategories. You’ll need to adjust those permissions to match the parent if that’s what you want.

Yep, this is by design, and many topics over the matter
https://meta.discourse.org/search?q=category%20inherit&expanded=true

There is some discussion around adding some additional validation ensuring the child category meets the same security permissions as the parent though at Shouldn't a category be the mother of all subcategories?

I believe it is counterintuitive. If you are disabling access to a book, you are disabling all pages, not just the cover.

May be it should be something like this?

• On subcategory creation: copy security settings of the parent.
• On changing parent permissions: ask admin if he wants to recursivly iterate over all children and update them.