Latest.json contains admin and trustlevel field - when not logged in

support
1

Hi, our Discourse instance shows user admin and trustlevel fields in the /latest.json (latest topics) response body for unauthenticated users.

For instance a user in the in the /latest.json list shows up as:

{
  "users": [
    {
      "id": 32,
      "username": "Beeblebrox",
      "avatar_template": "/user_avatar/my-discourse.org/beeblebrox/{size}/1_1.png",
      "flair_name": null,
      "admin": true,
      "trust_level": 1
    }
  ],
  "primary_groups":[],
  "flair_groups":[],
  "topic_list":[]
}

Whether a user is admin is sensitive information IMO; is it possible to not show the a. admin and b. trust_level field in the /latest.json response page for 1. unauthenticated users and 2. all users?

2

That’s the issue. It’s not treated as sensitive anywhere that I’m aware of. It’s possible to hide from users who admins are on s plugin.

1 Like
3

Thanks for the quick answer! What do you mean exactly with:

It’s possible to hide from users who admins are on s plugin.

Is s plugin a specific plugin?

4

I’ve written one that hides my user from the admin list. I’m not entirely sure that it hides my user from that json load, but I think it might?

It was part of a larger plugin, so I don’t think I have that bit publicly available. I can try to post the key bits here, or you can contact me if you have a budget and want me to do it for you.

5

It’s not. We even feature those prominently in the /about page :smile:

3 Likes
6

I found mine. It looks like it removes admin just from the /admin page:

  require_dependency 'admin_constraint'
  add_to_serializer(:about, :admins) do
    object.admins.reject { |u|
      puts "REJECT: #{u.emails.first} "
      u.emails.first =~ HIDDEN_EMAIL_REGEXP
    }
  end
2 Likes
7

I did not know that the about page lists moderators and admins, so that explains why it is not treated as sensitive information. I have my answer, thanks all for the quick responses, much appreciated!

2 Likes