Super sticky post of private forum is being listed in shortcode topic list

[tuomasparviainen.com]

Topic title is visible for not logged in user. The topic with replies is not available.

This is security problem, while topic titles may contain sensitive information and users assume private forums to be private to the end.

[tuomasparviainen.com]

/**
	 * Filter the query for the topic index
	 *
	 * @since bbPress (r3637)
	 *
	 * @param array $args
	 * @return array
	 */
	public function display_topic_index_query( $args = array() ) {
		$args['author']        = 0;
		$args['show_stickies'] = true;
		$args['order']         = 'DESC';
		return $args;
	}

I found this from shortcodes.php. Argument show_stickies can be altered here, but when core is updated the selection is set to default.

This selection need to be in back-end options.

[johnjamesjacoby]

This needs to be addressed in bbp_has_topics(). Moving to 2.4 to address then.

[johnjamesjacoby]

In 4987:

When super sticky topics exist in private or hidden forums, they currently always appear in topic-index listings, even when the current user cannot access them.

This changeset adds 'post_parentnot_in' to the super-sticky post query parameters, to exclude topics that are within private/hidden forums the current user cannot access. Fixes #2173.