They can't. Discus Professional allows users and moderators to sign up for e-mail notification only in those topics that they are permitted to read (which includes all public topics, all private topics for which their username and password is valid, and all topics to which they have logged in during the currently open browser session).

Generally, this question is asked to us by someone who has found a "huge security hole." In fact, it has never been demonstrated to us that there is any problem with the security routine that controls the topics that appear on e-mail notification lists. In all cases, one of the following has happened:

You were previously logged in as a more privileged user or moderator, and you discovered this "huge security hole" during subsequent testing.

All topics to which you have previously logged in are available for you to register for e-mail notification. This information is stored in a cookie. In addition, if you were logged into administration as the superuser, you are likely to see all topics through the cookie that was set to contain your administration password. To clear all cookies and start over as a real, ordinary user, go to "Edit Profile" and click "Log Out." Then try it again, and you probably won't see restricted topics in your list. Keep in mind that an ordinary, unprivileged user wouldn't ever have logged in to the restricted topics or the administration program in the first place.

You were editing someone else's profile through the User Manager or Moderator Manager.

Presently, when you edit someone else's profile through User Manager or Moderator Manager, any topics that YOU are privileged to read will also appear on the list. These are present in case you want to subscribe an unprivileged user to e-mail notification in a private topic (for whatever reason). The user himself will never see the private topics. To see what the user would see, log out (see previous explanation) and then log in as the user.

The topic was public, people signed up for e-mail notification, and then you made the topic private.

Current versions of Discus do not go through the e-mail notification settings and remove unauthorized topics that may have previously been signed up for by the users. (The rationale is that this would also remove any topics protected by global passwords or IP restrictions.) If you had a public topic and you are making it private, you can essentially make someone sign up for notification again (which would require access to the private topic in order to do) by using the following workaround:

1. Create a new topic on your board with the same name as the old topic (or a different name if you want, but presumably you want it to be the same).

2. Immediately go to Access Manager and set up private reading for that new topic.

3. Go to Page Manager, go to the old topic that is to be secured, and move all subtopics from the top level of that topic to the new topic you've just created. Also you may need to transfer the Announcement Message and About Message by copying and pasting. If you happen to have any messages on the top level, you will need to move these as well (most won't).

4. Once you've confirmed that the content has been moved correctly, then delete the old topic.

The above procedure works because it effectively assigns a new topic number to the topic whose permissions have been changed. E-mail notification preferences are stored by topic number in the user file. You need to do the above ONLY IF you're making a previously public topic private and you are concerned about people who signed up for e-mail notification while it was public continuing to receive that notification now. In our experience, this is rarely an issue.