Users without view permission to a private space may still see private questions in Popular tab, Topic counters, or search results

Summary

Anonymous/Limited users may see private questions (questions that are linked to a private space) in the Popular tab or in Topics counters.

Note: Limited users are users without permission to view the private space that contains questions.

Environment

• Confluence 5.8.18
• Questions plug in 2.4.11

Steps to Reproduce

1. Prepare test scenario:
   1. enable anonymous user
   2. add several global questions
   3. answer them while they are still global and unrestricted
   4. create a private space
   5. create and configure a limited user (no view access to the private space)
   6. restrict visibility of the private space
   7. move one answered question to the private space
   8. leave at least one global question as it is
   9. create a new question and answer it in a private space (same topics as before)
   10. add the topic "private" to all questions that belong to a private space

• Test Symptom #1 - anonymous/limited users see private questions on popular tab:
  1. log in with anonymous or limited user
  2. navigate to questions and observe popular and recent questions tabs

Actual results (anonymous user): In the Popular tab, the anonymous user sees questions that belong to a private space. Clicking on a restricted question redirects the user to the login page. See attached screenshot for example:

Actual results (limited user): In the Popular tab the limited user sees questions that belong to a private space. Clicking on a restricted question redirects the limited user to a "Page Not Found" page.

Expected results: neither anonymous nor limited users should see questions/answers that belong to a private space. This seems to work as expected in the Recent and Unanswered tabs. See attached screenshot for example:

• Test Symptom #2 - anonymous/limited users see topic counters that include private questions when browsing questions by topic:
  1. log in with anonoymouse or limited user
  2. navigate to questions > Topics
  3. Click on "private" topic

Actual results (anonymous/limited users): Even though the "private" topic has a counter indicating a number of questions greater than 0, clicking on that topic leads the user to a potentially empty page. See attached screenshots below for an example of "private" topic leading the user to an empty page:

Expected results: The topic counter should not lead users to empty pages. Ideally the counters would include only questions that are visible to the current user.

Notes

When anonymous/limited users click on the private question link, they are prompted for credentials or redirected to a "page not found". Therefore, this bug report was raised with "Minor" symptom severity.

Workaround

• Create the questions directly in a private space to avoid symptom#1 (symptom #2 still happens).
• I could not find a way to "fix" view permissions whenever symptom#1 is observed.