User can move a Topic outside of a Restricted Category

So this is a bit of an edge case, but we’ve confirmed it possible and it may be related to

Steps to Reproduce

  1. As a regular user (non-TL3) create a topic in Category A – where you have permission (leave this window/tab open and untouched)
  2. As staff or TL 3, move topic to a category that the regular user does not have access to (perform this step in a new browser)
  3. As the regular user click the Edit Pencil on the topic title and change the category to Category B (another category you have access to)

Expected:
User gets an error because the topic is currently in a category they do not have access to

Actual:
User can move the topic to a new category even though it is in a category they currently do not have access to.

4 Likes

[quote=“cpradio, post:1, topic:25682”]
As the regular user click the Edit Pencil on the topic title and change the category to Category B (another category you have access to)
[/quote]There appears to be no time limit on this; it is certainly possible to do it several hours after the topic was moved to a private category. The only restriction seems to be that the browser window is kept open and not refreshed.

Which means there really is no restriction at all except on the destination.

Thanks for the detailed repro but isn’t this a bit of an extreme edge case? It requires the user to keep the topic open indefinitely in a browser tab, and for it to get re categorized to a category they do not have access to.

Fixed in PR:

https://github.com/discourse/discourse/pull/3239/

3 Likes

I did say it was an edge case… However, edge cases are bugs too. :smile:

I wasn’t expecting a fast fix, just wanted to bring it to the attention of the devs. (I appreciate the quick work @riking, I can only hope to understand the core as well as you and the other devs do at some point… I just wish I had more reasons to be in Ruby than what I have right now – as surely that would help!)

3 Likes

Yep, but not outwith the realms of possibility.

e.g. New member discovers potential security risk in Discourse, posts in Support and keeps the browser open to watch for replies, in case more information is requested.

Moderator moves the post to a private area, to avoid publicising the security hole. Private discussion ensues on the topic.

The new member is not notified of the move, because it goes to a restricted category, and (of course) does not see the posts. After a couple of hours, they start to worry that an important issue is being overlooked, and decide they should have posted it in Bugs to perhaps get more urgent attention. They change the category and the entire private discussion is now public.

Seems to me a believable scenario - so thanks to @riking for the quick fix. :slight_smile:

1 Like

or just closes their laptop, which goes to sleep and opens it again after waking up, checking on the topic … Really, having the browser open on the same page for a long-time after doesn’t sound like a highly unlikely scenario to me nowadays …

Anyways. @riking’s quick fixing deserve a thanks!

1 Like