Issue Summary

Members of a group in an Audience Specific page can see incidents in the page API status.json file even when they are not part of the group with the affected component.

Steps to Reproduce

I have the following component groups and components:

• Component Group 1
  • Component 1
• Component Group 2
  • Component 2

I have the following audiences:

• Group 1 (Has access to Component 1 only)
• Group 2 (Has access to Component 2 only)

Repro steps:

1. Declare an incident for the component "Component 1", set it to Major Outage.
2. Open private browser window go to AS page
3. Login as user for Group 1
   1. UI Page shows Red and major outage as expected.
   2. go to status.json and observe the following returned in the json payload as expected: "status": { "indicator": "critical", "description": "Major System Outage" }
   3. go to components.json and observe the following returned in the json payload as expected : "components": [ { "id": "COMPONENT_ID", "name": "Component 1", "status": "major_outage"... # Close the private browser window.  # Open new private browser window and go to the AS page # Login as user from Group 2 ## UI Page shows Green and operational as expected. ## go to status.json and observe the following returned in the json payload NOT expected: "status": \{ "indicator": "critical", "description": "Major System Outage" }
   4. go to components.json and observe the following returned in the json payload as expected: "components": [ { "id": "COMPONENT_ID", "name": "Component 2", "status": "operational"...

Expected Results

The JSON on the AS page without access to the component should not show an incident 

Actual Results

The JSON on the AS page without access to the component DOES show an incident 

Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available