It seems like if a staff member changes the ownership of a whisper to a user who cannot use whispers, the user without whispers access can see “their” post, even though they should be unable to.
For example (this user is a TL4 without moderator or admin privileges, and only staff have access to whispers):
Steps to reproduce
- As an admin, create a whisper (make sure that only staff can use whispers).
- Change the whisper’s owner to a non-staff user.
- As that non-staff user, open the topic the whisper is on and look at the whisper post.
That’s an interesting one. How about if you are allowed to make a whisper, create a whisper, and then are removed from
whisper allowed groups - can you still see your whispers even then?
I just tested, and my alt could still see its own whispers after it was removed from the groups that were allowed to.
I can see some old whisper posts I created in public topics on Meta - not any other whispers though. The logic seems to be that a whisperer can see their own whispers. It feels like a bug.
I can see this as a problem, but I am going to call this feature vs bug.
Putting pr-welcome in case someone wants to try out a fix.