Users can see their own posts when those posts are whispers, even if they do not have enough privileges to use whispers

It seems like if a staff member changes the ownership of a whisper to a user who cannot use whispers, the user without whispers access can see “their” post, even though they should be unable to.
For example (this user is a TL4 without moderator or admin privileges, and only staff have access to whispers):

Steps to reproduce

  1. As an admin, create a whisper (make sure that only staff can use whispers).
  2. Change the whisper’s owner to a non-staff user.
  3. As that non-staff user, open the topic the whisper is on and look at the whisper post.
3 Likes

That’s an interesting one. How about if you are allowed to make a whisper, create a whisper, and then are removed from whisper allowed groups - can you still see your whispers even then?

4 Likes

I just tested, and my alt could still see its own whispers after it was removed from the groups that were allowed to.

5 Likes

I can see some old whisper posts I created in public topics on Meta - not any other whispers though. The logic seems to be that a whisperer can see their own whispers. It feels like a bug.

5 Likes

I can see this as a problem, but I am going to call this feature vs bug.

Putting pr-welcome in case someone wants to try out a fix.

5 Likes