Uppercase letters in username break reachable mention check in composer

thoka · April 22, 2026, 7:47pm

While investigating Private Topics Plugin - #109 by thoka I stumbled upon the fact, that a mention for a user in a restricted category is not reported, when the username contains uppercase letters.

If I mention @SomeUser, the editor requests
/composer/mentions.json?names[]=SomeUser&topic_id=10728
in the result the username is returned in lowercase, without user_reasons set.

A query for the username in lowercase letters returns "user_reasons": {"someuser":"category"}.

If I use lowercase letters for the usernames in the composer, warnings for people with not sufficient rights will be shown.

If one use the autocompletion provided by the editor, the typed lowercase usernames will be replaced by uppercase names and therefore not reported.

RGJ · April 22, 2026, 9:26pm

Nice find @thoka !

The problem is here

github.com/discourse/discourse

app/controllers/composer_controller.rb

main


      
              if !params[:allowed_names].is_a?(Array)
                raise Discourse::InvalidParameters.new(:allowed_names)
              end
              (params[:allowed_names] + [current_user.username]).map(&:downcase)
            else
              []
            end
          
          user_reasons = {}
          group_reasons = {}
          @names.each do |name|
            if user = users[name]
              reason = user_reason(user)
              user_reasons[name] = reason if reason.present?
            elsif group = groups[name]
              reason = group_reason(group)
              group_reasons[name] = reason if reason.present?
            end
          end
          
          if @topic && @names.include?(SiteSetting.here_mention.downcase) && guardian.can_mention_here?

users returns {"username_lower" => User object }

However if name is not downcased, users[name] does not exist.

Fix:

if user = users[name.downcase]
...
elsif group = groups[name.downcase]
...

Or better: downcase all names at the start of the method because there are a lot of issues in there, groups nicely does .where("lower(name) IN (?)", @names.map(&:downcase)) but functions like visible_group_ids_for_allowed_check, topic_allowed_group_ids, mentionable_group_ids and members_visible_group_ids all do where(name: @names) which introduces case sensitivity issues as well.

zogstrip · April 23, 2026, 8:34am

The correct fix is

https://github.com/discourse/discourse/pull/37177

but it’s too big a change than I’m confortable merging at this point

Instead, I’m going to fix each “endpoints” one by one to make it simpler to review and less risky.

Here’s first step

https://github.com/discourse/discourse/pull/39482

Ethsim2 · May 13, 2026, 3:03pm

Since rebuilding discourse for the 188 commits from 645cb014c0 to 102c93e2ea, i’ve noticed what appears to be a regression in the markdown composer.

The warning appears to be misleading in this case, but it appears each time i try to prompt my custom agent @Forum_Research_Assis

I am able to consistantly re-produce this as per the video re-production,

I believe this same commit is missing logic to bypass when the user is mentioning an AI Agent.

Happy to start another pull request when you’re ready, though i already have an open one on my only GitHub account.

zogstrip · May 13, 2026, 4:25pm

Looks like my “fix” revealed this issue for AI Agents

github.com/discourse/discourse

FIX: Suppress composer mention warning for AI bot users (#39986)

main ← fix-composer-mention-warning-ai-bots

opened 04:24PM - 13 May 26 UTC

ZogStriP

+85 -1

Mentioning an AI bot (e.g. `@Forum_Research_Assis`) in a topic the bot's User re…cord can't see — like a category restricted to a group the bot isn't part of — surfaced the "this user cannot see this mention" warning popup in the composer. The warning is misleading: AI bots reply via `PostCreator.create!(... skip_guardian: true)` (`playground.rb`), so they respond regardless of whether their User can `Guardian#can_see?` the topic. The previous case-insensitive fix (9a4cca29) exposed this latent behavior. Pre-fix, mixed-case names hit a case-sensitive hash miss in `ComposerController#mentions` and silently returned an empty `user_reasons`. Post-fix, the lookup hits correctly and the reachability check — which was always there — now fires for AI bot users that genuinely can't see the topic. Adds a `:composer_mention_user_reason` plugin modifier, applied after the standard reason is computed in `user_reason`, so plugins can clear or transform it. The AI plugin registers against the modifier and returns `nil` for any user in `DiscourseAi::AiBot::EntryPoint.all_bot_ids` (covering both AI agent users and chat-bot-enabled LLM model users). discobot and the system user are intentionally unaffected: discobot's `PostCreator.create!` does not skip the guardian, so the reachability warning remains accurate for it. https://meta.discourse.org/t/401292

Topic		Replies	Views
Rich editor misses usernames with umlauts Bug composer	4	218	August 1, 2025
Preview is changing casing of @ mentions Bug	2	894	June 15, 2015
Discobot case-sensitive mentions Bug	3	615	May 7, 2019
Unicode username with Σ as the final char leads to an error loading profile page Bug	36	2346	February 23, 2021
Highlighting current user and bots in posts UX feedback , design-experiment	3	161	March 19, 2026

Uppercase letters in username break reachable mention check in composer

Related topics