Whisper posts generate unread badges and show on user profile/topic list (last poster)

Did the following post use the whisper feature?
https://meta.discourse.org/t/how-do-i-stop-human-spammers/33514/11

If so there may be a few unwanted behaviors

  1. Topic list says I have an unread post that I can’t see

What I see

  1. Visiting ZogStrip’s profile I see the “supposed” post (fixed)

  2. I can see Zogstrip was the last poster on the Topic List (first screenshot) (fixed)

  3. Whispers are viewable via expandable Replies button (fixed)

  4. Badges granted via a Whisper post give away the existence of a whisper post. (fixed)

10 Likes

Those are definitely bugs (cc @eviltrout)

Just pushed a fix for #2

https://github.com/discourse/discourse/commit/4f7140fb3228ac8177500fd253ce549dbd9dea32

Rest will follow tomorrow :wink:

7 Likes

I’ve fixed #3. #1 turns out is SUPER hard. I am thinking about it but it might require a large refactor :frowning:

https://github.com/discourse/discourse/commit/9f89aefdd3a7ea4053721c32f50d8289fdbbaa25

4 Likes

Just a thought, but how are responses added then deleted before I return handled? As this would seem similar to that for normal users, but not for staff. Not sure if that is helpful or not.

That’s the first thing I thought of too. They have the same problem if they are at the end of a topic. I think we’ll have to circle back and revisit this in our next release.

Yeah, definitely cool with that. By far the bigger items were handled, and that’s appreciated.

Bummer, I thought that may have been solved for that condition (as I hadn’t seen it for a while).

2 Likes
  1. Whispers are viewable via expandable Replies button
    User View: (TL1)

Admin View:

Steps to Repro:

  1. Reply as a Whisper directed to a post other than the OP.
  2. As a normal user, click on the Replies expansion button.
  3. See all the secrets that were meant to be hidden.
7 Likes

Admittedly, this one will also be hard to fix (I think)…

  1. Badges granted via a Whisper post give away the existence of a whisper post.

Repro Steps:

  1. Login as a Moderator/Admin
  2. Perform action to be granted a badge
  3. Login as a regular user (TL1)
  4. View badges page, see link to whisper post (clicking it doesn’t show it though)
7 Likes

These are great catches, we will get them fixed and backported.

4 Likes

Sure @eviltrout these are good finds.

Just pushed a fix for #5 :fried_shrimp:

https://github.com/discourse/discourse/commit/6b07575632618d0d64f2eb034d49a917ba47ac13

3 Likes

We’re also going to mark Whisper as “experimental” for now as it is more complex than originally thought.

4 Likes

That’s fair enough. I’m still going to play with it over the next couple of days to see if anything else comes out of the woodwork (so to speak). I’ll keep updating this topic accordingly should I find anything additional that seems “out of the ordinary or unexpected”

Can we wiki the first post so I can mark the status of each (and others can contribute to it should they find something)?

1 Like

I just fixed #4, and redid @zogstrip’s fix on badges (badges can no longer be granted for whispers)

I also fixed the upwards expansion which was broken

And marked the feature experimental…

Once this is reviewed I will backport into stable and beta.

https://github.com/discourse/discourse/commit/2422289c8b7e70c74fc4e4c70597f449296be532

6 Likes

I haven’t uncovered any other mechanisms for uncovering/viewing a whisper post from a non-authenticated account. So this may be pretty well covered now. I’ve tried forcing a quoted post to reference a whisper, that didn’t work for non-auth accounts, accessing its raw data, et al.

Just wanted to give an update to the additional tests I attempted.

3 Likes

This is now fixed in latest courtesy of @sam

2 Likes