MAJOR Permission Issue - Projects Showing To People When They Should Not - Confidential Info Leaked

permissions
bug

#1

If you have an organisation set up and you have have Team 1 and:

  • In Team 1, you have Project A and Project B.
  • Person X is a member of Team 1
  • Person Y is a member of Project A (but not a Team 1 or Project B member)
  • Person Z is a member of Project B (but not a Team 1 or Project A member)
  • All Persons are member of your organisation (i.e. have the same email - e.g. x@mycompany.com)
  • If you set Project A as Make public to Team 1, Person Z can still see everything in Project A (even though they are not a Team 1 or Project A member)
  • Same for Person Y seeing into Project B.
  • Person X can see into both, which is expected since it says Make public to Team 1 and they are a member of the overall Team.
  • Fortunately, this issue does not happen if a person is not an organisation member and is, instead, just a guest user (i.e. do NOT have the same email - e.g. x@mycompany.com)**
  • Just making a Project private is not a solution to this because it undermines the point of having overall team members with oversight over a team without having to be Project Members.
  • This should be fixed ASAP before confidential info is leaked across organisations!

#2

Above issue is not a problem. There was a bug in the way our System Admin set things up. Now resolved.