If you have an anonymous, unrevealed collection (or, quite likely, a collection that is only one of those) and someone posts a work to said collection, the work and its creator may still be visible to all who encounter said work.
These steps will not always reproduce the bug, but here is the process:
Browse > Collections > New Collection
Fill in required information
Check both “This collection is unrevealed” and “This collection is anonymous”
Follow the “Post to Collection” link
Fill in required information (the collection info will already be filled in because you used the “Post to Collection” link)
Post Without Preview
This is a fascinating situation where the Work is incorrect (in_anon_collection: false, in_unrevealed_collection: false), but the CollectionItem is correct (anonymous: true, unrevealed: true):
Please note that the Work and CollectionItem IDs have been changed to 000 and some work fields (title, summary, notes, authors_to_sort_on, title_to_sort_on, ip_address) removed for privacy, as they are not relevant.
We confirmed that this work -- and at least one other work affected by this issue -- belonged only to one anonymous, unrevealed collection.
We note that the Work and CollectionItem were created at the exact same time (created_at: "2017-11-17 20:20:28"), although this is not in itself unusual -- it happens on works that are properly marked unrevealed and anonymous as well.
We suspect a race condition. 😭
CollectionItem.update_work is one of the few after_commit callbacks we have that tries to read data that was just written in the previous commit. Because it's an after_commit callback, not an after_save, the database queries to look up user_approved_collection_items (in update_anon_unrevealed, which is called by CollectionItem.update_work) occur outside of the transaction, which in theory would allow them them be routed to the read-only SQL servers, which have some chance of lagging behind the master SQL server by a transaction or two. (h/t ticking instant for the discovery and explanation.)
Because this cannot be reproduced at will, it is unlikely the fix can be tested. All we can do is take several shots at posting to an unrevealed, anonymous collection to confirm the correct behavior still happens and watch for any new reports of this bug after the fix is deployed.