Users can edit flagged topic title when they should not be able to

Tris20 · February 10, 2022, 4:07pm

1. Topic is reported

A topic is reported as “something else”, which here we have renamed as "this topic contains something it shouldn’t.

2. Moderator hides the post

3. Post is hidden

Post is hidden and cannot be edited – the timeout was set to 525600minutes

Which is fine, unless they edit the title:

confidentiality_bug

IAmGav · February 10, 2022, 4:18pm

this is not a bug. it was designed to be like that.

If you read the description of the hide post, you will see that a msg is sent to the user to edit the post.

The mod should either Agree > Keep Post or Delete Post

JammyDodger · February 10, 2022, 4:21pm

I can replicate this.

Editing the title of a hidden OP circumvents the 10 minute edit cool down period.

TL0 test user creates topic that’s inappropriate
The OP is flagged, and then hidden by moderator
TL0 test user can immediately edit title and unhide post (and then edit the post content as well)

Tris20 · February 10, 2022, 4:22pm

Hmm, my discription could have been better. Yes, it is designed such that they can edit the post, but the ability to edit is locked behind a cooldown timer.

In 3 we can see that this works, the post is locked and cannot be edited because the timer has not expired. However, the user can get around the timer if they edit the title. That’s the bug.

I should mention this is with a TL1 user

IAmGav · February 10, 2022, 4:27pm

you want to block the post for an year before they can edit it ? makes no sense.

just delete the post

Tris20 · February 10, 2022, 4:30pm

It’s a work around. We want the user to see the topic so they can retrieve the good contents from it and create a new one. After they are done with it we can delete the topic.

The problem is that if we let them edit the topic:

It will be reposted
The Confidential information will be visible in the Version History

IAmGav · February 10, 2022, 4:41pm

Seems like this line overrides the hidden & cooldown check

github.com

discourse/discourse/blob/c4843fc1c18fc9fb077d61e59615f54c4735bb42/lib/guardian/post_guardian.rb#L167

      
        
            
            
if is_my_own?(post)
            
            
  return false if @user.silenced?
            
            
  if post.hidden?
                return false if post.hidden_at.present? &&
                                post.hidden_at >= SiteSetting.cooldown_minutes_after_hiding_posts.minutes.ago
            
            
    # If it's your own post and it's hidden, you can still edit it
                return true
              end
            
            
  if post.is_first_post? && post.topic.category_allows_unlimited_owner_edits_on_first_post?
                return true
              end
            
            
  return !post.edit_time_limit_expired?(@user)
            end
            
            
if post.is_category_description?

codinghorror · February 11, 2022, 7:22pm

We have a repro, can this be assigned @sam?

Topic		Replies	Views
User able to edit title of locked post (still/again possible) Feature	10	906	September 23, 2020
Prevent content hidden by flags from being viewed Feature	12	2220	January 7, 2016
Revision history for flagged post isn't comparing the correct revisions Bug	9	665	January 27, 2020
Watching / Tracking / Notifications for post edits for Moderators Feature	21	4061	February 3, 2020
User able to edit title of locked post Support	6	892	June 18, 2019

Users can edit flagged topic title when they should not be able to

1. Topic is reported

2. Moderator hides the post

3. Post is hidden

Related topics