The backend /discourse-reactions/app/controllers/discourse_reactions/custom_reactions_controller.rb uses guardian.ensure_can_see!(post) to restrict users without permission from loading the reactions when a post is hidden.
However, the frontend still renders the reaction couter, thus, when users click the reaction couter of a hidden post, there will be infinite loading, with 403 forbidden while getting /discourse-reactions/posts/xxx/reactions-users-list.json
This commit add a similar guard at the frontend, hide reaction couter while args.post.hidden && !args.post.can_see_hidden_post, so as to fix this problem.
PR: FIX: reaction counter shouldn't be visible to users without see_hidden_post permission if a post is hidden · Pull Request #40216 · discourse/discourse