Not a bug Reports Bug

When a user reports content that is in a hidden node only accessible to users in Usergroup A, users in Usergroup B will be able to see the thread content. Users in Usergroup A are Administrators, users in Usergroup B are Moderators. In this example, both should have access to the Reports Queue.

This seems like a very uncommon use case, but it seems since there are no permissions checks hidden information could be exposed this way.


Well-known member
Can you verify this with accounts matching your description with add-ons disabled? The report center already handles permission checks and a user will only see what he has permission to see.
I fixed this one. It was because the Permissions were not all set to Revoke in the Node Everything but View Node was set to Inherit from the Category. Users in the group could not view the node, but in certain cases (like the Reports) could see the thread content.