Tag groups page is available without authorization

volas · September 16, 2018, 6:35pm

As guest you can open and see /tag_groups page with all staff buttons and controls, for example:
https://meta.discourse.org/tag_groups/
https://meta.discourse.org/tag_groups/1
That’s only cosmetic bug, any changes there are not saved (“Forbidden” response from server), and no private information also - so it’s public bug report.

sam · September 16, 2018, 11:28pm

Agree, this is pretty confusing to anonymous.

@neil perhaps we should just restrict the route to staff? Can anyone else mess with tag groups?

neil · September 17, 2018, 3:42pm

Agreed there’s no point showing those pages to non-staff users. I restricted them to staff.

tobiaseigen · September 17, 2018, 6:09pm

Whoa - that is freaky. Is it going to be restricted on all sites now, @neil, or do I have to do something to restrict access on my site?

neil · September 17, 2018, 6:10pm

It will be restricted for all sites.

neil · September 17, 2018, 10:00pm

This topic was automatically closed after 6 hours. New replies are no longer allowed.

Topic		Replies	Views
Tags can be used by everyone causes tag to be usable only by staff bug	5	965	May 16, 2018
Limit access to /tags page by trust level - or for everyone feature	5	1152	March 12, 2019
Hiding the Tags page from normal users: /tags support tags	0	156	January 21, 2024
'New Topic' is active on staff-only tag pages bug	5	686	March 7, 2019
Tags page only shows 1 tag for some moderators support tags	5	289	August 24, 2023

Tag groups page is available without authorization

Related Topics