Latest.json contains admin and trustlevel field - when not logged in

Hi, our Discourse instance shows user admin and trustlevel fields in the /latest.json (latest topics) response body for unauthenticated users.

For instance a user in the in the /latest.json list shows up as:

  "users": [
      "id": 32,
      "username": "Beeblebrox",
      "avatar_template": "/user_avatar/{size}/1_1.png",
      "flair_name": null,
      "admin": true,
      "trust_level": 1

Whether a user is admin is sensitive information IMO; is it possible to not show the a. admin and b. trust_level field in the /latest.json response page for 1. unauthenticated users and 2. all users?

That’s the issue. It’s not treated as sensitive anywhere that I’m aware of. It’s possible to hide from users who admins are on s plugin.

1 Like

Thanks for the quick answer! What do you mean exactly with:

It’s possible to hide from users who admins are on s plugin.

Is s plugin a specific plugin?

I’ve written one that hides my user from the admin list. I’m not entirely sure that it hides my user from that json load, but I think it might?

It was part of a larger plugin, so I don’t think I have that bit publicly available. I can try to post the key bits here, or you can contact me if you have a budget and want me to do it for you.

It’s not. We even feature those prominently in the /about page :smile:


I found mine. It looks like it removes admin just from the /admin page:

  require_dependency 'admin_constraint'
  add_to_serializer(:about, :admins) do
    object.admins.reject { |u|
      puts "REJECT: #{u.emails.first} "
      u.emails.first =~ HIDDEN_EMAIL_REGEXP

I did not know that the about page lists moderators and admins, so that explains why it is not treated as sensitive information. I have my answer, thanks all for the quick responses, much appreciated!