Content from restricted categories is available via other paths

[cellio]

We have the ability to restrict categories, both read and write. The Meta blog only accepts posts from moderators (which we know works because we once tried to invite a non-mod to post), and the Judaism community has a Purim Torah category that is hidden for most of the year (it's a seasonal thing). If you access the site as a non-moderator, you won't see it in the category bar.

However, there are other places where we should be doing that check and aren't. https://github.com/codidact/qpixel/issues/914 reports one, and it appears that things that check post availability (like search results) don't also check category availability , so you can get things in search results that you won't actually be able to view. (There are a couple other paths, but I don't want to record details of a security issue publicly. I can discuss with whoever picks up this issue.)