“user_linked” events are generated within private categories


#1
  1. A user created a post in a category that anyone can see/post.
  2. I created a post in a private category that only our forum admins can see. In that post I linked to the post by the above user.

Two things happened that I don’t believe should be happening. The user in #1 was emailed the content of my post, and the user was able to reply to the email and have their reply appear in my post.

If a user doesn’t have read access to a category then they shouldn’t be made aware of posts in that category, even when they are mentioned or linked to.


(Jeff Atwood) #2

I am 99% sure this is not possible, unless you got the permissions wrong on your categories.


#3

I’ve impersonated the user to confirm they can only see what they should. They can’t see the post I made, nor can they even see their own reply to it. When I look at the email logs I see one going out with email type user_linked, and then the reply in the received log.


(Jeff Atwood) #4

Can you repro this @jomaxro?


(Stephen) #5

Was the category where the user was mentioned a second-level category (subcategory)? If so, are they secured from seeing both the parent category and that second level category?

Earlier in 2.x we observed something similar when the user doesn’t have rights to the first category but the permissions to the second level category aren’t as restrictive, because permissions aren’t inherited.


#6

Nope, it’s a top level category.


(Jeff Atwood) #7

Another idea: did this user have “mailing list mode” on? Hmm, no, that wouldn’t matter. I am still 99% certain this doesn’t happen, but let’s have @jomaxro test.


(Mittineague) #8

This is most likely unrelated, but IIRC, quite a while ago it was that public topics linked to a restricted topic exposed the existence of the topic and the topic title as a link. Following the link to see the topic content was not possible for members not having permission.

I guess it is possible emails somehow got missed in the fix, but you are running an up-to-date version of Discourse?

When you say “events”, is this related to the Events plugin?


(Joshua Rosenfeld) #10

Hi @wityr,

I’m attempting to reproduce this, no luck so far. Can you confirm the exact details of what happened please?

The non-admin user:

  • What is their trust level?
  • Are they in any groups?
  • Are they a moderator?
  • What are the complete permissions of the category they posted in?

The admin user:

  • What is their trust level?
  • Are they in any groups?
  • Are they a moderator?
  • What are the complete permissions of the category they posted in?
  • Was the link an inline onebox or a full onebox?

(Stephen) #11

Are you running the latest version of Discourse? @jomaxro is trying to reproduce this, but if you’re on an older version (you’ve not specified any of your config in this topic) it’s a bit of a fool’s errand. Help us out here and elaborate a little on the specifics of your environment.


(Joshua Rosenfeld) #12

Yes, thank you for asking that @stephen, definitely need to make sure your site is up to date.