Optionally post to groups via normal mentions unless the group is restricted. This aligns with the expectations of other fediverse projects and communities but isn't recommended, as content destined for private groups can leak. We can't convince those projects and communities that privacy is important and we're frankly outnumbered. We still recommend DMs or wall-to-wall posts for posting to groups because only these mechanisms can minimise leakage of private group content, and users shouldn't be forced to remember which is which. But this isn't the hill I wish to die on. A hidden config allows group owners to change this behaviour based on their own privacy and usability needs.

FEDERATION.md

@@ -23,6 +23,8 @@ Groups
 
 Groups may be public or private. The initial thread starting post to a group is sent using a DM to the group and should be the only DM recipient. This helps preserve the sanctity of private groups and is a posting method available to most ActivityPub software, as opposed to bang tags (!groupname) which lack widespread support and normal @mentions which can create privacy issues and their associated drama.  It will be converted to an embedded post authored by the group Actor (and attributed to the original Actor) and resent to all members. Followups and replies to group posts use normal federation methods. The actor type is 'Group' and can be followed using Follow/Group *or* Join/Group, and unfollowed by Undo/Follow *or* Leave/Group.
 
+Update: as of 2021-04-08 @mentions are now permitted for posting to public and moderated groups but are not permitted for posting to  restricted or private groups. The group owner can over-ride this behaviour as desired based on the group's security and privacy expectations. DMs (and wall-to-wall posts) are still the recommended methods for posting to groups because they can be used for any groups without needing to remember which are public and which are private; and which may have allowed or disallowed posting via mentions. 
+
 Comments
 
 This project provides permission control and moderation of comments. By default comments are only accepted from existing connections. This can be changed by the individual. Other sites MAY use zot:commentPolicy (string) as a guide if they do not wish to provide comment abilities where it is known in advance they will be rejected. A Reject/Note activity will be sent if the comment is not permitted. There is currently no response for moderated content, but will likely also be represented by Reject/Note.

include/items.php

@@ -2575,14 +2575,18 @@ function tag_deliver($uid, $item_id) {
 		$mail_notify = true;
 	}
 
-
-
 	// important - ignore wall posts here else dm's by group owner will be sent to group.
+
 	if ($is_group && intval($item['item_private']) === 2 && intval($item['item_thread_top']) && (! intval($item['item_wall']))) {
-		// group delivery via DM - use post_wall permission since send_stream is probably turned off and this will be turned into an embedded wall-to-wall post
-		if(perm_is_allowed($uid,$item['owner_xchan'],'post_wall')) {
+		// group delivery via DM - use post_wall permission since send_stream is probably turned off
+		// and this will be turned into an embedded wall-to-wall post
+		if(perm_is_allowed($uid,$item['author_xchan'],'post_wall')) {
 			logger('group DM delivery for ' . $u['channel_address']);
 			start_delivery_chain($u, $item, $item_id, 0, true, (($item['edited'] != $item['created']) || $item['item_deleted']));
+			q("update item set item_blocked = %d where id = %d",
+				intval(ITEM_HIDDEN),
+				intval($item_id)
+			);
 		}
 		return;
 	}
@@ -2602,8 +2606,6 @@ function tag_deliver($uid, $item_id) {
 		return;
 	}
 
-
-
 	/*
 	 * A "union" is a message which our channel has sourced from another channel.
 	 * This sets up a second delivery chain just like forum tags do.
@@ -2666,7 +2668,6 @@ function tag_deliver($uid, $item_id) {
 
 			// At this point we've determined that the person receiving this post was mentioned in it or it is a union.
 			// Now let's check if this mention was inside a reshare so we don't spam a forum
-			// If it's private we may have to unobscure it momentarily so that we can parse it.
 
 			$body = preg_replace('/\[share(.*?)\[\/share\]/','',$item['body']);
 
@@ -2703,6 +2704,23 @@ function tag_deliver($uid, $item_id) {
 
 			call_hooks('tagged', $arr);
 
+			/**
+			 * post to a group (aka forum) via normal @-mentions *only if* the group is public
+			 * but let the owner change this with a hidden pconfig and either allow
+			 * or deny this option regardless of the type of group
+			 */
+			 
+			if ($is_group && intval($item['item_thread_top']) && (! intval($item['item_wall']))) {
+				if (get_pconfig($uid,'system','post_via_mentions',in_array($role,['forum','forum_moderated'])) && perm_is_allowed($uid,$item['author_xchan'],'post_wall')) {
+					logger('group mention delivery for ' . $u['channel_address']);
+					start_delivery_chain($u, $item, $item_id, 0, true, (($item['edited'] != $item['created']) || $item['item_deleted']));
+					q("update item set item_blocked = %d where id = %d",
+						intval(ITEM_HIDDEN),
+						intval($item_id)
+					);
+				}
+			}
+
 			/*
 			 * Send a mention notification - unless we just sent a mail notification for the same item
 			 */
@@ -2812,11 +2830,14 @@ function tgroup_check($uid, $item) {
 	}
 
 	// post to group via DM
-	
+
 	if ($is_group) {
 		if (intval($item['item_private']) === 2 && $item['mid'] === $item['parent_mid']) {
 			return true;
 		}
+		if (get_pconfig($uid,'system','post_via_mentions',in_array($role, ['forum','forum_moderated']))) {
+			return true;
+		}
 	}
 
 	// see if we already have this item. Maybe it is being updated.

include/text.php

@@ -3030,7 +3030,7 @@ function linkify_tags(&$body, $uid, $in_network = true) {
 
 	$tags = get_tags($body);
 
-	if(count($tags)) {
+	if(is_array($tags) && count($tags)) {
 		foreach($tags as $tag) {
 
 			$success = handle_tag($body, $str_tags, ($uid) ? $uid : App::$profile_uid , $tag, $in_network);