We’ve got some groups where I set members’ visibility to group members only. So a regular user can’t see members and that works on the group page:
But then on the Users page, the same regular user can filter for the group and get a list of all it’s members.
I’m unable to reproduce the problem. I just made a group on Meta with these settings:
I am the only member of the group:
If I sign in as another user and filter the users page, the list is empty:
Can you send a screenshot of your group’s “visibility” settings?
Hmm… I have the same settings:
I impersonate a regular user with trust level 0 and I get the list on the users page. Not sure how I can or should try to debug this further?
Thanks for the details!
I think what’s happening is just a UI problem. When you switch to a group, a hidden error is occuring, and so the UI keeps the data from the previous list. The users shown are not actually members of the private group.
If you visit this link directly: https://meta.discourse.org/u?group=testgroup then the list is empty. If you switch to ‘team’, and then back to ‘testgroup’, the list of ‘team’ members remain.
So there’s definitely a bug, but it’s not actually revealing any sensitive info. Does that match up with what you’re seeing?
Yes, that’s what I get as well! It’s actually not the group members and once I manually reload the page, I do get “No results where found”.
So should I disable components and parts of the theme code to try and find what could cause that?
Looks like the same happens here on Meta, so I don’t think it’s anything specific to your site. We’ll get this fixed up - thanks for reporting!