I took this screenshots while I was not logged in. So I was definitly not in that group, but still able to see this posts. It’s the same for all the replies. So since the posts are visible even to anonymous users, why is this notice shown, if you click the post date?
Yep, I can reproduce that, and that looks like a bug.
https://meta.discourse.org/c/61/visible_groups.json
returns
{"success":"OK","groups":["theme_authors"]}
Regardless if I am logged in or when I am anonymous.
@jamie.wilson Do you know if this is intended as I do not think I changed anything as part of the security fix?
I’m also able to reproduce it. I first noticed it a few weeks back (around the time that the unified share dialog was implemented), but I shrugged it off and decided not to create a topic about it.
I think it’s intended to show up when you attempt to share a link from a private category (eg. The Lounge) to remind you that not everyone will be able to click through and see the content. It seems to be showing up for more things than it’s supposed to. I shall slide this over to bug
It looks like we need to refine the logic in visible_groups
a little more.
In this case, since theme_authors
is visible to Everyone, the warning is superfluous.
SECURITY: Category group permissions leaked to normal users. · discourse/discourse@0f7b987 · GitHub
It looks like we lost that logic when this line was removed. We’ll need something similar on the backend, since we’re not exposing that info to the client anymore.
Thanks for the reproduction steps! I fixed the bug in this PR: