FEATURE: Warn admins about private group name's exposure to anonymous users. (#19557)

Group names will be used as CSS classes in some components while rendering the public HTML output. It will happen when a group is set as the default primary for users. Or when a group has either a flair icon or flair upload. So we should warn the admins when they restrict the group's visibility level.

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>

app/assets/javascripts/discourse/app/components/group-manage-save-button.js

@@ -4,17 +4,40 @@ import discourseComputed from "discourse-common/utils/decorators";
 import { popupAjaxError } from "discourse/lib/ajax-error";
 import { popupAutomaticMembershipAlert } from "discourse/controllers/groups-new";
 import showModal from "discourse/lib/show-modal";
+import { or } from "@ember/object/computed";
 
 export default Component.extend({
   saving: null,
   disabled: false,
   updateExistingUsers: null,
+  hasFlair: or("model.flair_icon", "model.flair_upload_id"),
 
   @discourseComputed("saving")
   savingText(saving) {
     return saving ? I18n.t("saving") : I18n.t("save");
   },
 
+  @discourseComputed(
+    "model.visibility_level",
+    "model.primary_group",
+    "hasFlair"
+  )
+  privateGroupNameNotice(visibilityLevel, isPrimaryGroup, hasFlair) {
+    if (visibilityLevel === 0) {
+      return;
+    }
+
+    if (isPrimaryGroup) {
+      return I18n.t("admin.groups.manage.alert.primary_group", {
+        group_name: this.model.name,
+      });
+    } else if (hasFlair) {
+      return I18n.t("admin.groups.manage.alert.flair_group", {
+        group_name: this.model.name,
+      });
+    }
+  },
+
   actions: {
     save() {
       if (this.beforeSave) {

app/assets/javascripts/discourse/app/templates/components/group-manage-save-button.hbs

@@ -1,3 +1,10 @@
+{{#if this.privateGroupNameNotice}}
+  <div class="row">
+    <div class="alert alert-warning alert-private-group-name">
+      {{this.privateGroupNameNotice}}
+    </div>
+  </div>
+{{/if}}
 <div class="control-group buttons group-manage-save-button">
   <DButton @action={{action "save"}} @disabled={{or this.disabled this.saving}} @class="btn btn-primary group-manage-save" @translatedLabel={{this.savingText}} />
   {{#if this.saved}}

app/assets/javascripts/discourse/tests/acceptance/group-manage-save-button-test.js

@@ -0,0 +1,29 @@
+import { acceptance, exists } from "discourse/tests/helpers/qunit-helpers";
+import selectKit from "discourse/tests/helpers/select-kit-helper";
+import { click, visit } from "@ember/test-helpers";
+import { test } from "qunit";
+
+acceptance("Managing Group - Save Button", function (needs) {
+  needs.user();
+
+  test("restricting visibility and selecting primary group checkbox", async function (assert) {
+    await visit("/g/alternative-group/manage/membership");
+
+    await click(".groups-form-primary-group");
+
+    await click('a[href="/g/alternative-group/manage/interaction"]');
+
+    const visibilitySelector = selectKit(
+      ".select-kit.groups-form-visibility-level"
+    );
+    await visibilitySelector.expand();
+    await visibilitySelector.selectRowByValue("1");
+
+    assert.ok(exists(".alert-private-group-name"), "alert is shown");
+
+    await visibilitySelector.expand();
+    await visibilitySelector.selectRowByValue("0");
+
+    assert.notOk(exists(".alert-private-group-name"), "alert is hidden");
+  });
+});

config/locales/client.en.yml

@@ -4587,6 +4587,9 @@ en:
               other: "%{count} users have the new email domains and will be added to the group."
             automatic_membership_associated_groups: "Users who are members of a group on a service listed here will be automatically added to this group when they log in with the service."
             primary_group: "Automatically set as primary group"
+          alert:
+            primary_group: "Since this is a primary group, the name '%{group_name}' will be used in CSS classes which can be viewed by anyone."
+            flair_group: "Since this group has flair for its members, the name '%{group_name}' will be visible to anyone."
         name_placeholder: "Group name, no spaces, same as username rule"
         primary: "Primary Group"
         no_primary: "(no primary group)"