Tag groups page is available without authorization


(Alexander V ) #1

As guest you can open and see /tag_groups page with all staff buttons and controls, for example:
https://meta.discourse.org/tag_groups/
https://meta.discourse.org/tag_groups/1
That’s only cosmetic bug, any changes there are not saved (“Forbidden” response from server), and no private information also - so it’s public bug report.


(Sam Saffron) #2

Agree, this is pretty confusing to anonymous.

@neil perhaps we should just restrict the route to staff? Can anyone else mess with tag groups?


(Neil Lalonde) #4

Agreed there’s no point showing those pages to non-staff users. I restricted them to staff.


(Tobias Eigen) #5

Whoa - that is freaky. Is it going to be restricted on all sites now, @neil, or do I have to do something to restrict access on my site?


(Neil Lalonde) #6

It will be restricted for all sites.


(Neil Lalonde) #7

This topic was automatically closed after 6 hours. New replies are no longer allowed.