Whisper posts generate unread badges and show on user profile/topic list (last poster)

Did the following post use the whisper feature?
https://meta.discourse.org/t/how-do-i-stop-human-spammers/33514/11

If so there may be a few unwanted behaviors

1. Topic list says I have an unread post that I can’t see
   
   

   Pasted image862×64 8.26 KB

What I see

Pasted image856×425 28.3 KB

2. Visiting ZogStrip’s profile I see the “supposed” post (fixed)
   

   

   Pasted image847×99 9.84 KB

3. I can see Zogstrip was the last poster on the Topic List (first screenshot) (fixed)

4. Whispers are viewable via expandable Replies button (fixed)

5. Badges granted via a Whisper post give away the existence of a whisper post. (fixed)

Those are definitely bugs (cc @eviltrout)

Just pushed a fix for #2

https://github.com/discourse/discourse/commit/4f7140fb3228ac8177500fd253ce549dbd9dea32

Rest will follow tomorrow

I’ve fixed #3. #1 turns out is SUPER hard. I am thinking about it but it might require a large refactor

https://github.com/discourse/discourse/commit/9f89aefdd3a7ea4053721c32f50d8289fdbbaa25

Just a thought, but how are responses added then deleted before I return handled? As this would seem similar to that for normal users, but not for staff. Not sure if that is helpful or not.

That’s the first thing I thought of too. They have the same problem if they are at the end of a topic. I think we’ll have to circle back and revisit this in our next release.

Yeah, definitely cool with that. By far the bigger items were handled, and that’s appreciated.

Bummer, I thought that may have been solved for that condition (as I hadn’t seen it for a while).

4. Whispers are viewable via expandable Replies button
   User View: (TL1)
   
   

   Pasted image1127×354 17.2 KB

Admin View:

Pasted image1116×720 37.5 KB

Steps to Repro:

1. Reply as a Whisper directed to a post other than the OP.
2. As a normal user, click on the Replies expansion button.
3. See all the secrets that were meant to be hidden.

Admittedly, this one will also be hard to fix (I think)…

5. Badges granted via a Whisper post give away the existence of a whisper post.
   
   

   Pasted image1378×785 54.7 KB

Repro Steps:

1. Login as a Moderator/Admin
2. Perform action to be granted a badge
3. Login as a regular user (TL1)
4. View badges page, see link to whisper post (clicking it doesn’t show it though)

These are great catches, we will get them fixed and backported.

Sure @eviltrout these are good finds.

Just pushed a fix for #5

https://github.com/discourse/discourse/commit/6b07575632618d0d64f2eb034d49a917ba47ac13

We’re also going to mark Whisper as “experimental” for now as it is more complex than originally thought.

That’s fair enough. I’m still going to play with it over the next couple of days to see if anything else comes out of the woodwork (so to speak). I’ll keep updating this topic accordingly should I find anything additional that seems “out of the ordinary or unexpected”

Can we wiki the first post so I can mark the status of each (and others can contribute to it should they find something)?

I just fixed #4, and redid @zogstrip’s fix on badges (badges can no longer be granted for whispers)

I also fixed the upwards expansion which was broken

And marked the feature experimental…

Once this is reviewed I will backport into stable and beta.

https://github.com/discourse/discourse/commit/2422289c8b7e70c74fc4e4c70597f449296be532

I haven’t uncovered any other mechanisms for uncovering/viewing a whisper post from a non-authenticated account. So this may be pretty well covered now. I’ve tried forcing a quoted post to reference a whisper, that didn’t work for non-auth accounts, accessing its raw data, et al.

Just wanted to give an update to the additional tests I attempted.

This is now fixed in latest courtesy of @sam