Hi! I’m an admin in a discourse instance and I’ve noticed myself misconfiguring the category permissions multiple times (making it more permissive by mistake).
I wanted to elaborate on that here to know if just an issue with me of it it has happened with others. And if so, what can be done about it.
Note: I wouldn’t have payed too much attention to this if it had not happened to me multiple times already - 4 in total - and apparently they were significant for me to remember every one of them.
The issue
When creating a new category it has by default it has everyone with Create / Reply / See permissions.
For some reason, when I do this mistake I first click on the drop-down menu to choose the group I want to access this category and then select the permissions. But I forget to click on the + and then on the x to delete the everyone permission.
Security implications
One might think that the implications are light since when this mistake happens the category has just been created so no actual content gets revealed. But in some situations just letting the users know of a (soon-to be announced category) can blow the surprise or reveal future plans that were still in the draft phase.