We have successfully been using Discourse as our ticketing system for several months now. All has been going smoothly but I just realized that there is a security issue that I overlooked as it was hidden through obscurity until just now.
Everything has been going fine with the exception that I had to add trust_level_0 to our ticket topic in order for regular users to be able to create topics via e-mail (works fine without it for staged users)
As the forum itself was mostly dead I didn’t notice until just yesterday that when users with trust level 0 log in they can see posts from our support category even though it’s set up as a private topic and supposed to only be visible to admins and our ‘support_staff’ group.
Is there a way to fix this? If not I’ll have to scrap this whole project as we have a lot of personal/sensitive info in the support tickets.
We have “personal messages” but there’s no such concept as a “private topic”.
BTW, how you describe things working is exactly how we use meta itself. Emails to our support address come into personal messages in a group inbox - there’s no leakage to the public.
Issue resolved. We did a PR on my brain and now everything is working.
I misunderstood a setting in the plugin’s settings. Once I was schooled, everything works like it should.
