It seems a non-staff member can get notifications if they are ‘watching’ a tag even though that tag is restricted to staff only (read/write).
A little backstory:
I recently left a group that I was involved in as a moderator. We used tags internally to help track important topics, some of these tags were set up so only staff could see and add them. So I was aware of these topics I had set my notification settings to ‘Watching First Post’ for the staff-only tags.
Now that I am no longer a staff member I still get notifications when the tag is applied to a topic. However, I cannot:
- Access the tag page
/tags/{tag_name}
- See the tag on the topic
- See that the topic was edited by a staff member to add the tag
- Once I remove that tag from my notification preferences, I cannot add it back
Because I cannot access, or see the tag, I don’t think I should be able to get notifications when it is applied. I wouldn’t consider this to be a security issue per se, but it could potentially leak some information some communities don’t want to be known outside of their staff team(s).
8 Likes
nat
(Natalie T)
4
Hey there, thank you for reporting this. We’ve pushed a fix to the latest version of our build. With that, you should:
- stop receiving notifications on privileged tags you’ve watched before
- not even see those tags on your notification preferences or have to un-watch them
- the nice part about this one is that if you get reinstated as a moderator, you’d not have to re-watch them!
PR: SECURITY: Only show tags to users with permission by nattsw · Pull Request #15148 · discourse/discourse · GitHub
2 Likes