Mistakenly let everyone see private category (usable security issue)

Hi! I’m an admin in a discourse instance and I’ve noticed myself misconfiguring the category permissions multiple times (making it more permissive by mistake).

I wanted to elaborate on that here to know if just an issue with me of it it has happened with others. And if so, what can be done about it.

Note: I wouldn’t have payed too much attention to this if it had not happened to me multiple times already - 4 in total - and apparently they were significant for me to remember every one of them.

The issue

When creating a new category it has by default it has everyone with Create / Reply / See permissions.

For some reason, when I do this mistake I first click on the drop-down menu to choose the group I want to access this category and then select the permissions. But I forget to click on the + and then on the x to delete the everyone permission.

category549×615 15 KB

Security implications

One might think that the implications are light since when this mistake happens the category has just been created so no actual content gets revealed. But in some situations just letting the users know of a (soon-to be announced category) can blow the surprise or reveal future plans that were still in the draft phase.

Thanks for reporting that! It’s good to know where users are running into problems with the UI. I agree that making a mistake in setting a category’s permissions could cause security issues. A similar, and more serious issue would be to make a mistake in setting the site’s login required setting.

I’m not sure what Discourse could do to confirm that security related settings are correct before they are updated.

Perhaps one solution could be: If the user changed the drop down button, assume the user was trying do do something and show a confirmation message box like the following but instead with the text:

You changed the permissions, but did not apply them. Are you sure you want to let everybody see this category?