1. Home
  2. Categories
  3. Meta
  4. Bugs
  5. Category JSON leaks information about restricted categories and groups.

Category JSON leaks information about restricted categories and groups.

  • PJH
    Discourse touched me in a no-no place

    Continuing the discussion from Discourse to NNTP gateway:

    @VinDuv said:

    It can also be used to retrieve information about private categories, which may not be intended behaviour...

    Specifically it gives the group name and the title of the oldest topic.

    For example, even when not logged in, http://what.thedailywtf.com/c/4/show.json gives up:

    

{
  "category": {
    "id": 4,
    "name": "Staff",
    "color": "283890",
    "text_color": "FFFFFF",
    "slug": "staff",
    "topic_count": 13,
    "post_count": 77,
    "description": "Private category for staff discussions. Topics are only visible to admins and moderators.",
    "description_text": "Private category for staff discussions. Topics are only visible to admins and moderators.",
    "topic_url": "\/t\/about-the-staff-category\/9",
    "read_restricted": true,
    "permission": null,
    "parent_category_id": 3,
    "notification_level": null,
    "logo_url": "\/uploads\/default\/3716\/c79f02a2c58bdbbc.png",
    "background_url": "\/uploads\/default\/4058\/1735e7ca0324bce0.png",
    "available_groups": [
      "admins",
      "area_bel",
      "area_deu",
      "area_gbr",
      "area_usa",
      "bots",
      "everyone",
      "moderators",
      "programmers_testers",
      "trust_level_0",
      "trust_level_1",
      "trust_level_2",
      "trust_level_3",
      "trust_level_4"
    ],
    "auto_close_hours": null,
    "auto_close_based_on_last_post": false,
    "group_permissions": [
      {
        "permission_type": 1,
        "group_name": "staff"
      }
    ],
    "position": 10,
    "cannot_delete_reason": "Can't delete this category because it has 13 topics. Oldest topic is <a href=\"http:\/\/what.thedailywtf.com\/t\/invisible-topic-for-site-assets\/8\">Invisible topic for site assets<\/a>",
    "allow_badges": true
  }
}
    0
  • Keith

    @PJH said:

    Specifically it gives the group name and the title of the oldest topic.

    That seems like it could be a problem if you're talking about specific users in the admin area.

    1 PJH 1 Reply
  • PJH
    Discourse touched me in a no-no place

    @Keith said:

    That seems like it could be a problem if you're talking about specific users in the admin area.

    Mitigated by the fact that the oldest topic in most categories is the "What this topic is about" post.

    0 PJH 1 Reply
  • PJH
    Discourse touched me in a no-no place

    In fact.. I've just realised something about the fact that groups are listed there.

    Off to test something...

    0 PJH 1 Reply
  • PJH
    Discourse touched me in a no-no place

    @PJH said:

    Off to test something...

    Uh, huh - it also leaks invisible group names:

        "available_groups": [
      "admins",
      "area_bel",
      "area_deu",
      "area_gbr",
      "area_usa",
      "bots",
      "everyone",
      "moderators",
      "programmers_testers",
      "super_sekret_group",
      "trust_level_0",
      "trust_level_1",
      "trust_level_2",
      "trust_level_3",
      "trust_level_4"
    ],
    3 locallunatic 1 Reply
  • locallunatic

    I'm assuming that the message on meta.d is just hidden, or have you not reported it over there yet?

    1 PJH 1 Reply
  • PJH
    Discourse touched me in a no-no place

    @locallunatic said:

    I'm assuming that the message on meta.d is just hidden, or have you not reported it over there yet?

    Well since someone saw fit to delete my last report on there (about missing groups on profiles and cards), rather than move the posts to the existing general topic for the general feature change I was complaining about, I fail to see why I should bother.

    9 locallunatic 1 Reply
  • locallunatic

    Fair enough.

    0
Log in to reply