User summary - guessable URL

I’ve just installed a new Discourse and imported a history of interactions from another forum type. I’m executing some tests so that I can better learn about Discourse and so I can ensure it is locked up - the discussions are private.

Okay, I set Login Required and it works. Great.

As admin, I created a new post with an @username referencing my own personal account. An email arrived in my inbox with a copy of the post and a link for the @username. That link opens my Discourse on a URL like https://discourse.mydomain.com/u/username/summary which gives lots of helpful information.

I updated the address in my browser, replacing my username with another member’s username and then was able to see a summary for the second user.

Anyway, this URL can be guessed and my ‘private’ discourse becomes public. I must be missing some other setting that hides my site.

Hi there,
Yes – that is expected behaviour. Users can view other user’s profiles. Do you have login required turned on?

Yes, as mentioned in my initial post, login required is enabled. When I go to my Discourse page, the only thing I see there is a welcome message and a login button. I think a public Discourse displays much more, like topic, categories etc.

Sorry, I missed that.

If you are following a link from a notification email it will automatically log you into the community when you click it, so changing the URL to another user’s profile in the same session will take you to that page because you are already logged in.

1 Like

Thanks. I’ve confirmed the behaviour you describe. I’m still getting used to how smart Discourse is with those links that get you into the community as conveniently as if you authenticated manually.

1 Like

All working fine. Just back here to make a note about my experience and the reason for confusion.

I’m using Firefox and I rely extensively on its container mode where my default behaviour is that each tab is isolated from all others. Because cookies are private in this mode, a newly opened tab - such as happens automatically when I click a link from my Thunderbird email - gives me a fresh environment for browsing. I rely heavily on my password manager to avoid going crazy with logins.

What I did not initially notice when clicking the link that Discourse sent to my email was that the Firefox tab that opened was an exception to the rule I described above i.e. it was not a private tab and it shared the cookies with my most recent Discourse view (probably the youngest tab I was using when I triggered the email notification). So there wasn’t any Discourse magic going on, it is just a behaviour in Firefox Containers that I hadn’t experienced before.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.