Here are the steps that happened in sequence that led me to discover this issue:
- A user in a group forwarded an email to a private category (whose access is controlled by that group) from someone who is not on our discourse.
- Because I have the “forwarded emails behaviour” setting set to “create replies”, a new topic was created automatically with OP by a new staged user (also created automatically) and a response post by the group member, both from the single email that the member sent.
- Above steps are as expected, but this step is not: the staged user was sent a “user_replied” type email automatically with the contents of the reply post on the topic! This results in leak of information.
The staged user is not a member of the group and hence should not be sent emails from anything in the private category (even though they are owner of the topic/OP).