SECURITY: Do not leak private group names. (#7008)

app/models/site.rb

@@ -71,6 +71,12 @@ class Site
     end
   end
 
+  def groups
+    groups = Group.visible_groups(@guardian.user)
+    groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}") if !@guardian.is_staff?
+    groups
+  end
+
   def suppressed_from_latest_category_ids
     categories.select { |c| c.suppress_from_latest == true }.map(&:id)
   end

app/serializers/site_serializer.rb

@@ -50,9 +50,7 @@ class SiteSerializer < ApplicationSerializer
   end
 
   def groups
-    cache_fragment("group_names") do
-      Group.order(:name).pluck(:id, :name).map { |id, name| { id: id, name: name } }.as_json
-    end
+    object.groups.pluck(:id, :name).map { |id, name| { id: id, name: name } }.as_json
   end
 
   def post_action_types

spec/models/site_spec.rb

@@ -66,6 +66,21 @@ describe Site do
     expect(Site.new(guardian).categories).not_to include(sub_category)
   end
 
+  it "omits groups user can not see" do
+    user = Fabricate(:user)
+    site = Site.new(Guardian.new(user))
+
+    group = Fabricate(:group, visibility_level: Group.visibility_levels[:staff])
+    expect(site.groups.pluck(:name)).to eq(["moderators"])
+
+    group = Fabricate(:group)
+    expect(site.groups.pluck(:name)).to eq([group.name])
+
+    admin = Fabricate(:admin)
+    site = Site.new(Guardian.new(admin))
+    expect(site.groups.pluck(:name)).to eq(Group.visible_groups(admin).pluck(:name))
+  end
+
   it "includes all enabled authentication providers" do
     SiteSetting.enable_twitter_logins = true
     SiteSetting.enable_facebook_logins = true