[quote=“cpradio, post:1, topic:25682”]
As the regular user click the Edit Pencil on the topic title and change the category to Category B (another category you have access to)
[/quote]There appears to be no time limit on this; it is certainly possible to do it several hours after the topic was moved to a private category. The only restriction seems to be that the browser window is kept open and not refreshed.
Thanks for the detailed repro but isn’t this a bit of an extreme edge case? It requires the user to keep the topic open indefinitely in a browser tab, and for it to get re categorized to a category they do not have access to.
I did say it was an edge case… However, edge cases are bugs too.
I wasn’t expecting a fast fix, just wanted to bring it to the attention of the devs. (I appreciate the quick work @riking, I can only hope to understand the core as well as you and the other devs do at some point… I just wish I had more reasons to be in Ruby than what I have right now – as surely that would help!)
e.g. New member discovers potential security risk in Discourse, posts in Support and keeps the browser open to watch for replies, in case more information is requested.
Moderator moves the post to a private area, to avoid publicising the security hole. Private discussion ensues on the topic.
The new member is not notified of the move, because it goes to a restricted category, and (of course) does not see the posts. After a couple of hours, they start to worry that an important issue is being overlooked, and decide they should have posted it in Bugs to perhaps get more urgent attention. They change the category and the entire private discussion is now public.
Seems to me a believable scenario - so thanks to @riking for the quick fix.
or just closes their laptop, which goes to sleep and opens it again after waking up, checking on the topic … Really, having the browser open on the same page for a long-time after doesn’t sound like a highly unlikely scenario to me nowadays …