Topics are public in categories with restricted access


(Brad Dixon) #1

Hi! I run a branded Discourse community where users have to go through our SSO to create an account and none of the content within the community should be public. We’re looking at making some of the content public so I went into the settings to see the options, but noticed what seems to be a pretty big bug.

In settings, I turned on anonymous access by unchecking this box:

We have all of our content organized in categories and all categories have a security setting of trust_level_0 or stricter. None of it is visible to “everyone” so just by allowing anonymous access, anonymous users still shouldn’t be able to view anything. That seems correct when I go and have things sorted by categories, but not when sorted by latest or top.

Here’s what the homepage looks like now for anonymous users when sorted by category:

And here’s the view now for anonymous users when sorted by latest:

Why is this happening? Shouldn’t the topics still be blocked for anonymous users since they’re sorted into categories that aren’t visible? If not…what’s the point of security settings if everyone can read everything anyways?

I’ve turned off anonymous viewing now until I can get this sorted cause I want to make sure nothing is visible that’s not supposed to be but would love to figure this out.


(Michael Brown) #2

It looks as though all of the topics that are visible have no category applied and are thus “Uncategorized”.

Since you cannot apply permissions on “Uncategorized” you can’t restrict those, however you can force topics to have a category by unchecking this:

image


(Brad Dixon) #3

Yeah that’s not right though. That first topic, “Looking for Tips/Feedback on How to Improave a New Instrumental I Made” is in a category. Here’s the image from the topic:

So it belongs in the subcategory “Student Work” from the “music” category, same thing with these other topics:

So something else seems to be wrong here then cause they have categories and are still showing up on this latest as if they don’t have categories.


(Michael Brown) #4

You’re right, that isn’t right.

Do you mind if we disable “Login Required” to look at things?


(Brad Dixon) #6

Yeah go ahead! Let me know if I need to do anything.


(Michael Brown) #7

This behaviour is actually known - subcategories do not inherit the permissions of their parent category; they are completely independent:

image

More information about this is here:

The correct thing to do is edit the subcategory and replicate the permissions that you want - I’ve done that for you on the Music/student-work category and have confirmed that an anonymous user no longer sees it when viewing Latest and cannot access the topic.

New permissions:
image

To make your life a bit easier, note that you only need add trust_level_0 since all trust levels include the permissions of lower trust levels (really it’s correct to say that if a user is a member of trust_level_4 he is also a member of trust_level_3 and below). Also, admins bypass permissions so they will always be able to Create/Reply/See.

Hope that clears everything up for you!


(Brad Dixon) #8

Awesome thank you! It looks like it’s all sorted now. I appreciate your help!