Non-Forum Staff Getting Notifications for Staff Only Tags

It seems a non-staff member can get notifications if they are ‘watching’ a tag even though that tag is restricted to staff only (read/write).

A little backstory:

I recently left a group that I was involved in as a moderator. We used tags internally to help track important topics, some of these tags were set up so only staff could see and add them. So I was aware of these topics I had set my notification settings to ‘Watching First Post’ for the staff-only tags.

Now that I am no longer a staff member I still get notifications when the tag is applied to a topic. However, I cannot:

• Access the tag page /tags/{tag_name}
• See the tag on the topic
• See that the topic was edited by a staff member to add the tag
• Once I remove that tag from my notification preferences, I cannot add it back

Because I cannot access, or see the tag, I don’t think I should be able to get notifications when it is applied. I wouldn’t consider this to be a security issue per se, but it could potentially leak some information some communities don’t want to be known outside of their staff team(s).

Hey there, thank you for reporting this. We’ve pushed a fix to the latest version of our build. With that, you should:

• stop receiving notifications on privileged tags you’ve watched before
• not even see those tags on your notification preferences or have to un-watch them
  • the nice part about this one is that if you get reinstated as a moderator, you’d not have to re-watch them!

PR: SECURITY: Only show tags to users with permission by nattsw · Pull Request #15148 · discourse/discourse · GitHub