Topics and replies not attributed to correct user


(Ryan Wanger) #1

Had a few people create users on our Discourse instance and started messing around. Everything worked well. Then we implemented SSO from our site to Discourse, and invited a few test users. A few strange things:

We’re now seeing replies being attributed to the wrong users.

Anyone can edit topics/replies of anyone else.

I only see the original users in the (Admin) User tab. There are at least several new users who have signed up, but I can’t see them. (Though I do see topics/replies of theirs).

Any ideas what might be happening?


(Rafael dos Santos Silva) #2

Are you using the correct email on the SSO payload?

Discourse assumes that email is unique per user.

List your users on the admin panel and check the e-mails.


(Ryan Wanger) #3

Thanks for the reply.

Hm, well…none of the users (except me) have an email set at all. Our controller does this:

secret = "SomeReallySecretSecret"
sso = SingleSignOn.parse(request.query_string, secret)
sso.email = current_user.email
sso.name = current_user.name
sso.username = sso.email
sso.avatar_url = current_user.image
sso.external_id = "someexternalid" # unique to your application
sso.sso_secret = secret

redirect_to sso.to_url("http://discourse.example.com/session/sso_login")

I guess I should take a look to make sure that current_user is being set correctly, but there is a before_filter :authenticate_user! so it forces you to authenticate if you haven’t already.

Edit: current_user is being set correctly.


(Rafael dos Santos Silva) #4

I can be wrong, but to me e-mail ins’t optional.


(Ryan Wanger) #5

Upon further review, users do have emails set, it’s just that they’re not displaying in the Users Admin panel (but if I click into a user and click “show email”, I do see it).

Email is being sent over with the sso payload. The one that was created for my user did work correctly. None of the other users that have signed up with SSO appear in the Users Admin panel. And one of them I was seeing earlier today, and now she doesn’t appear. (She hasn’t messed with her account in any way today).


(Ryan Wanger) #6

While transferring ownership of a reply over to a different user, it changed another reply in the topic to that user as well. This reply that was incorrectly assigned has been acting crazy all along (I received an email saying it was posted by Daniel, but it was actually created by John, and then I later saw it assigned to Annie…and then it was incorrectly re-assigned to me).

Gremlins I tell ya!


(Ryan Wanger) #7

Is it possible that each time someone SSOs in, they’re just taking over the most recent user? That would explain a lot of what is going on.

SSO should create a new user if the email isn’t found, right?


(Rafael dos Santos Silva) #8

Yes.

It creates if done right. Mine does :smile:

My SSO is done on LUA inside a Nginx directive, so I can’t help you. But you should debug your SSO implementation.


(Kane York) #9

This is very wrong… do sso.external_id = current_user.id


(Ryan Wanger) #10

Ahhhh, thanks. I grabbed that code from the internet somewhere…the comment led me to believe that it should be the same for everyone.

Made the change and it works like a charm. Thanks @riking!