It seems like if a staff member changes the ownership of a whisper to a user who cannot use whispers, the user without whispers access can see “their” post, even though they should be unable to.
For example (this user is a TL4 without moderator or admin privileges, and only staff have access to whispers):

image750×367 19.2 KB

Steps to reproduce

1. As an admin, create a whisper (make sure that only staff can use whispers).
2. Change the whisper’s owner to a non-staff user.
3. As that non-staff user, open the topic the whisper is on and look at the whisper post.

That’s an interesting one. How about if you are allowed to make a whisper, create a whisper, and then are removed from whisper allowed groups - can you still see your whispers even then?

I just tested, and my alt could still see its own whispers after it was removed from the groups that were allowed to.

I can see some old whisper posts I created in public topics on Meta - not any other whispers though. The logic seems to be that a whisperer can see their own whispers. It feels like a bug.

I can see this as a problem, but I am going to call this feature vs bug.

Putting pr-welcome in case someone wants to try out a fix.