Users can request to post in locked categories if they meet the spam threshold

bug
1

The min first post typing time setting will automatically send a post to the approval queue if it was made too quickly. This even happens if the user does not have permission to post on a thread / in a category. For instance, given:

  • There is a category “Announcements” that I don’t have access to create posts or new topics in
  • I quote an existing reply to get the “Continuing the discussion from…” post editor
  • I post more quickly than the min first post typing time setting

that post will be submitted to the approval queue:

pJQaO8B.png719×239 8.39 KB

This is dangerous because a mod might not notice the category, maybe the post is fine somehow (e.g. pasted in from notepad, which caused post timing to be < threshold), and when they approve it, a topic has been created in a category no one aside from admins can create new topics in (e.g. announcements).

Expected behavior is that the user is given the no access warning that they are if they spent > threshold typing the post, rather than the post going to the approval queue.

6 Likes
2

Hmm yeah we should fix this @sam. Probably easy? Just check permissions before submission?

I actually did have this happen to me once on Boing Boing, I accidentally approved a post in the wrong category.

3 Likes
3

Agree, the permission check should happen for new topics.

We have this logic here:

https://github.com/discourse/discourse/blob/48501b0d45f3144fc7063e16f508e29b22ef6ee0/lib/new_post_manager.rb#L113-L122

But it only checks permission to post in a topic. For new topics we should also check permission to post in a category.

@vinothkannans can you add a permission check there and a test?

4 Likes
5

It’s fixed as per below commit

https://github.com/discourse/discourse/commit/515e103db624cec01f6d15e9fda74e165d4f855d

5 Likes
6

Sorry @vinothkannans I had to revert this, @zogstrip had a test to confirm this is allowed with no error per:

https://github.com/discourse/discourse/blob/7d52f5869db77cf752da9d8e40fd070569db939b/spec/components/email/receiver_spec.rb#L827-L828

Since we have a commit to fix this now going to leave this on @zogstrip’s place to decide what to do.

  • Option 1, no change needed

  • Option 2, add a param for new post manager so it knows this came in from incoming mail processor and add a bypass

  • Option 3, breaking change

The use case that is being captured here is:

  • Do we allow people to define a category where certain groups of users can create topics freely and other groups require approval.

My guess is that we want to keep the use case so I am not sure what to do.

2 Likes
8

So WRT the use case, we definitely would love to have some groups of users freely create topics but others require approval. However, outside of those two, we want users who are prevented from posting entirely in that category – they can’t even request a post to be approved.

This issue is primarily concerning the last group. We have users who have no posting permissions whatsoever for that category who are able to sneak into the approval queue by quoting posts. Sure, we want the group that is allowed to post in the category through approval to be able to go into the approval queue, but not uses who have no posting access at all for that category.

9

It’s actually better to generate an error rather than ignoring the email.

https://github.com/discourse/discourse/commit/6b51d84dc5e053d2a0992fdf52b057f29c87e7d9

4 Likes
12

This topic was automatically closed after 23 hours. New replies are no longer allowed.