Security issue: Viewer can provide Edit rights

  • 22 June 2023
  • 5 replies
  • 38 views
Y

Hi everyone!

Today got this case:

A gave a link for my board to PersonA. PersonA requested the Edit rights and another user (PersonB) who already got the Reader access gives Edit rights to my board to PersonA. What???

 

If it matters: Free Plan, Me and both PersonA and PersonB logged in with Google Account

5 replies

Robert Johnson
Userlevel 7
Badge +12

@YaBuxxter - Thanks for sharing that this is a Free Plan team - this absolutely matters.

Without digging in too deep, what you are experiencing is likely expected behaviour given the way the Free Plan works.

For example:

I would suggest that you review:

  1. Your team invite settings:


     

  2. The list of members/users on your Free Plan - perhaps there are some who should be removed.
     

     

Visual Thinker | Volunteer Community Moderator
Y

@Robert Johnson thank you for detailed answer. Need to say here that when I create a sharing link I choose “Can view” or “Can comment”.

I just wanted to show my idea to other people.

The expected intuitively behavior is:

Share → Copy invite link (Can comment) → Send link to somebody

It’s ok if someone who already can view or comment give the link to another people to view or comment but not to Edit!

 

I change the settings with instructions above but need another account to check this behavior.

Anyway it’s two different problems: unexpected growing of team (wich was expected in my case) and leveling up the privileges

 

 

Robert Johnson
Userlevel 7
Badge +12

 @YaBuxxter - This issue – and why your team is growing – is this:

 

The only way a non-team member can Edit or Comment on your board is if they are a team member. This is illustrated when you try to use the Visitors/public option (which is the only way for a Free Plan member to allow non-team members to view your boards):

 

Visual Thinker | Volunteer Community Moderator
Y

@Robert Johnson can we just forget about growing team. It's not the point of my question. 

The question is: why 'viewer' or 'commenter' (in my team) can provide 'edit' privilege?

Robert Johnson
Userlevel 7
Badge +12

@YaBuxxter - I mentioned was “growing team” for two reasons:

  1. You brought it up

Anyway it’s two different problems: unexpected growing of team (wich was expected in my case) and leveling up the privileges

and 2., for other readers of this post.

Looking at your screenshot again, I think you’ll find that one or more of the individuals who have board-level share access have Edit permissions:

 

I am only speculating, but if you had the Invite to team and board access set to Can edit, but later changed it to Can comment, those who clicking on the link before you changed it still retain their edit access. If you want to deactivate any “join team and edit board” link that may be floating around out there, it seems that the easiest way to do this is to duplicate the board - note: this would create a new board link, so any bookmarks would need to be updated.

Visual Thinker | Volunteer Community Moderator

Reply


Terms & Conditions