Tag groups page is available without authorization

As guest you can open and see /tag_groups page with all staff buttons and controls, for example:
https://meta.discourse.org/tag_groups/
https://meta.discourse.org/tag_groups/1
That’s only cosmetic bug, any changes there are not saved (“Forbidden” response from server), and no private information also - so it’s public bug report.

4 Likes

Agree, this is pretty confusing to anonymous.

@neil perhaps we should just restrict the route to staff? Can anyone else mess with tag groups?

5 Likes

Agreed there’s no point showing those pages to non-staff users. I restricted them to staff.

6 Likes

Whoa - that is freaky. Is it going to be restricted on all sites now, @neil, or do I have to do something to restrict access on my site?

It will be restricted for all sites.

5 Likes

This topic was automatically closed after 6 hours. New replies are no longer allowed.