Does not work when logged out: https://meta.discourse.org/u?exclude_groups=admins&order=likes_received Logged out: [image] Logged in: [image] I stumbled across this because I noticed when logged out of my own forums, I’m no longer excluded from users sorted by likes received. Is this delibe…

[图片] haydenjames: Was able to at least remove admin user from off the homepage’s Right Sidebar Blocks plugin with just CSS. .top-contributors--user:has([data-user-card="admin_username"]) { display: none; } Ok so was able to achieve the result that I needed for both the front page sid…

Can you expand on what you want to tell me with that screenshot? I see you limit access to the group to logged-in users. You also limit access to the group’s members to logged-in users. Then you show me that a user who is not logged in cannot access the data of the group members. To me, that makes…

[图片] haydenjames: Currently they are only excluded only when logged in but when logged out they are included. Just echoing what @Moin said here. If we made exclude_groups=admins work, then someone could deduce the members of the admin group, even though they’re not supposed to have access. S…

The same logic applies to anyone who just registers though. If a brand new user signs up and uses exclude_groups=admins, the admins get hidden from their list, so they can already deduce the membership by comparing filtered and unfiltered. The bar to “working it out” is just creating a free account…

[图片] haydenjames: The bar to “working it out” is just creating a free account, which anyone can do in seconds. So what’s the real difference between a logged-out visitor and a one-minute-old account here? That depends on the site configuration - many sites do not have open registration. […

:slight_smile: A LOT of them do. Most that I visit

[图片] haydenjames: :slight_smile: A LOT of them do. Most that I visit Yeah that’s certainly true. But when it comes to security features, we have to design things to work precisely as they’re described. If someone decides to hide group membership, that needs to work 100% reliably.

[图片] haydenjames: For context, all I’m actually trying to achieve is in the sidebar plugin there’s a ranking, and I just don’t want the admins group included in the “most likes received” or top contributors list. Why don’t you change the visibility of the admin group and its members to “every…

The thing is, hiding membership isn’t really reliable here anyway. On a lot of forums, mine included, the admins are some of the most active users. So you can just sort the directory by activity and usually spot an admin or two right away. The admin group membership is easily deduced from exposed a…

I do see your point, but it’s important to consider that the group security system is not specific to the @admins group. The same security model would need to work for the @super-secret-lurkers group, if a forum had one :wink: Being able to work out ‘not in a group’ is ultimately the same as being …

[图片] david: Does updating the admins group to be visible to ‘everyone’ work for you? No I tried that before opening. Thought maybe non-members had to be able to see the group for the exclusion to work. :confused: But no, /u?exclude_groups=admins is ignored entirely for unregisted visitors.

/u?exclude_groups=admins 在未登录时无效

支持

david (David Taylor) 2026 年6 月 9 日 21:16 14

是的，这确实没错。但在安全功能方面，我们必须确保设计能够严格按照描述运行。如果有人决定隐藏群组成员身份，那么该功能必须 100% 可靠地生效。

话题		回复	浏览量
Is it a security violation to show a directory of users? Feature	58	7412	2015 年3 月 26 日
User directory feedback Feature	82	9115	2015 年6 月 7 日
New category permission - "cannot see"/"exclude" Feature	36	4500	2024 年9 月 4 日
Respect the visibility settings of all automatic groups Feature groups	14	839	2023 年10 月 23 日
Private users in Discourse Feature	9	1241	2024 年4 月 29 日

/u?exclude_groups=admins 在未登录时无效

相关话题