Category group permissions leaked to users that cannot edit a category
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.2; beta <= 2.9.0.beta3; tests-passed <= 2.9.0.beta3
Patched versions
stable >= 2.8.3; beta >= 2.9.0.beta4; tests-passed >= 2.9.0.beta4
Impact
A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse
Workarounds
There are no workarounds for this problem.