Switching to groups with hidden members cause UI issue in /u directory

We’ve got some groups where I set members’ visibility to group members only. So a regular user can’t see members and that works on the group page:

Screenshot from 2022-04-02 10-39-01

But then on the Users page, the same regular user can filter for the group and get a list of all it’s members.

3 Likes

Hi @nolo

I’m unable to reproduce the problem. I just made a group on Meta with these settings:

I am the only member of the group:

Screenshot 2022-04-02 at 11.08.47

If I sign in as another user and filter the users page, the list is empty:

https://meta.discourse.org/u?group=testgroup

Can you send a screenshot of your group’s “visibility” settings?

2 Likes

Hmm… I have the same settings:

Screenshot from 2022-04-02 11-50-16

I impersonate a regular user with trust level 0 and I get the list on the users page. Not sure how I can or should try to debug this further?

1 Like

Thanks for the details!

I think what’s happening is just a UI problem. When you switch to a group, a hidden error is occuring, and so the UI keeps the data from the previous list. The users shown are not actually members of the private group.

If you visit this link directly: https://meta.discourse.org/u?group=testgroup then the list is empty. If you switch to ‘team’, and then back to ‘testgroup’, the list of ‘team’ members remain.

So there’s definitely a bug, but it’s not actually revealing any sensitive info. Does that match up with what you’re seeing?

4 Likes

Yes, that’s what I get as well! It’s actually not the group members and once I manually reload the page, I do get “No results where found”.

So should I disable components and parts of the theme code to try and find what could cause that?

3 Likes

Looks like the same happens here on Meta, so I don’t think it’s anything specific to your site. We’ll get this fixed up - thanks for reporting!

5 Likes

It will fix the issue.

3 Likes