FIX: Ensure permissions are correctly enforced (PR #7985)

GitHub

You’ve signed the CLA, nbianca. Thank you! This pull request is ready for review.

Looks like the spec is failing?

Will this work with discourse-assign if we allow groups with different visibility levels (e.g. staff and TL0) and if the assigning user is not a staff member?

1 Like

Hmm… I do not believe this will work with discourse-assign. :slightly_frowning_face:

Basically, when it tries to search in a specific set of groups, it first ensures that the user can see all of them. I think what we want here is to remove all these groups that cannot be seen by the user and then continue the search normally. :thinking:

Yes, I think this would be the best approach and it’ll work with discourse-assign. I’ll try to move this forward since Bianca is away this week and it needs to be fixed for the plugin :+1:

2 Likes

I can have a look later, this afternoon. :eyes:

1 Like

I believe that the discourse-assign should only search in those groups that are visible to the user. I implemented the fix in discourse/discourse-assign#48.

1 Like

I don’t think this change is right.

If only owners are allowed visibility then ONLY owners+admins are allowed to see it, not moderators. This is an expansion of mod privs.