Talking with our Security team they were curious why the userid is in the json for the categories and exactly are these json are there for?
Their primary concern about is for example, if we decide to delist a topic due to security reasons (which we have done before), could this metadata somehow leak them?
Iβm not sure I understand the question exactly, can you elaborate a little more?
We use JSON to send all information between the server and the client in Discourse. User IDs are included regularly, and are not considered secret.
Unlisting a topic will remove it from any topic lists. This is done server-side, so yes they will disappear from the JSON payload for unprivileged accounts.
Of course, if someone already has the link for the topic, then they could still view the unlisted topic. If you need to completely secure a topic, then itβs best to convert it to a PM.