Opened 6 years ago

Closed 5 years ago

#1814 closed bug (fixed)

Non-members can post group messages.

Reported by: beatnickgr Owned by: shevek
Priority: major Milestone: 2.3
Component: BW Group Keywords: group post
Cc: beatnickgr, shevek

Description (last modified by sitatara)

Non-members can post group messages, this happens both in

public groups

moderated groups

Only members should be able to post messages.

Related ticket: #1605

Change History (16)

comment:1 Changed 6 years ago by jsfan

  • Priority changed from major to minor

Please do only assign "major" to bugs that are likely to impact on a majority of members. If in doubt, default to lower priority and leave the decision to the developers.

comment:2 Changed 6 years ago by shevek

I'd say this affects a majority of users as most groups members probably have notifications enabled. So they get a lot of unrequested mails.

comment:3 Changed 6 years ago by jsfan

There are 3 cases.

  1. Public group: Anyone can join and post once they have joined, so no big deal that they could also post without joining. They could always join, post and leave.
  2. Private group: It might be possible to post but the link will never be displayed. Thus it is unlikely to become a problem.
  3. Invite only group: A member could post even if the group moderators were unwilling to accept a join request.

I think the last case that is a real problem. However, you would then still only want to post if the group does not default to "group only" where you couldn't even see your own post. This leaves us with a rather small percentage of groups affected, so I don't think the reach of this bug is significant in comparison with other bugs that are marked major.

comment:4 Changed 6 years ago by shevek

Ad 1. Public Groups: We should tell the user that he/she can't post to this group as she/he isn't a member. I'd use the fact that it would be easy enough to join as a reasoning to disallow posting.

Ad 2. I don't understand that. So a post would just end up in the database but wouldn't show up in the group topics list? Well then we should block it to save space in the database :-)

Ad 3. Isn't a invite only groupü private by definition? So the same as for 2 should apply, shouldn't it?

comment:5 Changed 6 years ago by beatnickgr

  • Description modified (diff)
  • Priority changed from minor to major

Shevek, there is no email notification if a non-member posts.

Currently, in Public and Moderated groups, non-members have "New topic" and "Would you like to comment?" buttons available. In the volunteer chat we discussed that this is a bug, these buttons should be available to members only. Fixing this will also fix other problems as no notifications and spamming (spammers do not need to join and therefore cannot be banned).

I'm setting it back to major, as it's affecting the big majority of groups (public and moderated), only privates are unaffected.

examples of a non-member post in an open group and in a moderated group

Last edited 6 years ago by beatnickgr (previous) (diff)

comment:6 Changed 6 years ago by beatnickgr

  • Cc beatnickgr added

comment:7 Changed 6 years ago by sitatara

  • Description modified (diff)

comment:8 Changed 6 years ago by Tsjoek

  • Cc shevek added
  • Owner set to Tsjoek
  • Status changed from new to assigned

comment:9 Changed 6 years ago by Tsjoek

  • Owner changed from Tsjoek to shevek

on special request

comment:10 Changed 6 years ago by shevek

  • Milestone changed from unassigned to 2.1

comment:11 Changed 5 years ago by shevek

  • Milestone changed from 2.1 to 2.2

comment:12 Changed 5 years ago by shevek

  • Milestone changed from 2.2 to 2.3

Moved to 2.3.

comment:13 Changed 5 years ago by shevek

  • Status changed from assigned to local_testing

Hide the new topic button in the following cases:

  • Member is not a user of the group
  • The current group is the suggestions group

If the user uses the /new link to post into the group this will not be prevented by this fix.


comment:14 Changed 5 years ago by shevek

  • Status changed from local_testing to to_alpha

comment:15 Changed 5 years ago by shevek

  • Status changed from to_alpha to testing

Deployed to alpha.

comment:16 Changed 5 years ago by crumbking

  • Resolution set to fixed
  • Status changed from testing to closed
Note: See TracTickets for help on using tickets.