Category JSON leaks information about restricted categories and groups.
-
Continuing the discussion from Discourse to NNTP gateway:
It can also be used to retrieve information about private categories, which may not be intended behaviour...
Specifically it gives the group name and the title of the oldest topic.
For example, even when not logged in, http://what.thedailywtf.com/c/4/show.json gives up:
{ "category": { "id": 4, "name": "Staff", "color": "283890", "text_color": "FFFFFF", "slug": "staff", "topic_count": 13, "post_count": 77, "description": "Private category for staff discussions. Topics are only visible to admins and moderators.", "description_text": "Private category for staff discussions. Topics are only visible to admins and moderators.", "topic_url": "\/t\/about-the-staff-category\/9", "read_restricted": true, "permission": null, "parent_category_id": 3, "notification_level": null, "logo_url": "\/uploads\/default\/3716\/c79f02a2c58bdbbc.png", "background_url": "\/uploads\/default\/4058\/1735e7ca0324bce0.png", "available_groups": [ "admins", "area_bel", "area_deu", "area_gbr", "area_usa", "bots", "everyone", "moderators", "programmers_testers", "trust_level_0", "trust_level_1", "trust_level_2", "trust_level_3", "trust_level_4" ], "auto_close_hours": null, "auto_close_based_on_last_post": false, "group_permissions": [ { "permission_type": 1, "group_name": "staff" } ], "position": 10, "cannot_delete_reason": "Can't delete this category because it has 13 topics. Oldest topic is <a href=\"http:\/\/what.thedailywtf.com\/t\/invisible-topic-for-site-assets\/8\">Invisible topic for site assets<\/a>", "allow_badges": true } }
-
Specifically it gives the group name and the title of the oldest topic.
That seems like it could be a problem if you're talking about specific users in the admin area.
-
That seems like it could be a problem if you're talking about specific users in the admin area.
Mitigated by the fact that the oldest topic in most categories is the "What this topic is about" post.
-
In fact.. I've just realised something about the fact that groups are listed there.
Off to test something...
-
Off to test something...
Uh, huh - it also leaks invisible group names:
"available_groups": [ "admins", "area_bel", "area_deu", "area_gbr", "area_usa", "bots", "everyone", "moderators", "programmers_testers", "super_sekret_group", "trust_level_0", "trust_level_1", "trust_level_2", "trust_level_3", "trust_level_4" ],
-
I'm assuming that the message on meta.d is just hidden, or have you not reported it over there yet?
-
I'm assuming that the message on meta.d is just hidden, or have you not reported it over there yet?
Well since someone saw fit to delete my last report on there (about missing groups on profiles and cards), rather than move the posts to the existing general topic for the general feature change I was complaining about, I fail to see why I should bother.
-
Fair enough.