It seems a non-staff member can get notifications if they are ‘watching’ a tag even though that tag is restricted to staff only (read/write).
A little backstory:
I recently left a group that I was involved in as a moderator. We used tags internally to help track important topics, some of these tags were set up so only staff could see and add them. So I was aware of these topics I had set my notification settings to ‘Watching First Post’ for the staff-only tags.
Now that I am no longer a staff member I still get notifications when the tag is applied to a topic. However, I cannot:
- Access the tag page
/tags/{tag_name} - See the tag on the topic
- See that the topic was edited by a staff member to add the tag
- Once I remove that tag from my notification preferences, I cannot add it back
Because I cannot access, or see the tag, I don’t think I should be able to get notifications when it is applied. I wouldn’t consider this to be a security issue per se, but it could potentially leak some information some communities don’t want to be known outside of their staff team(s).