Sometimes private collections are visible to admins #3454

gemathus · 2022-04-25T14:05:39Z

I've experienced this issue twice: a non admin user creates a collection and removes read and write access to all (making the collection private). Now, me, as an admin user, logged into our self deployed Outline and was able to see this user's private collection and documents. After refreshing the page, the collection was no longer visible to me.

To Reproduce
I don't know yet... We've only experienced this issue twice in the last month without any clear reproduction steps. I will keep a look out in our dev environment to try to catch it in the logs.

Expected behavior
Private documents should not be visible to anyone, including admin users.

Outline (please complete the following information):

Install: self hosted
Version: v0.63.0

Desktop (please complete the following information):

OS: Mac OS
Browser Chrome
Version 100.0.4896.127 (Official Build) (arm64)

tommoor · 2022-04-25T14:57:35Z

It was recently changed so that admins have read permissions to collections if the id is known, so I suspect this is related – although it is indicative of a possible wider bug where permissions are not correctly propagated perhaps?

Ideally we'd allow admins to see the existence and manage private collections but not read the content without being added explicitly as a member either by themselves or someone else. This will mean separating the permission that currently encompasses both.

gemathus · 2022-04-25T15:41:37Z

Right, I had noticed that read access was granted to admins given the full url. Nonetheless, this happened while I was in another document/collection, and I had not previously accessed this private collection, it just showed up on my sidebar.

I will try to reproduce this in the next couple of days, and keep you posted.

github-actions · 2022-08-24T02:15:45Z

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions · 2022-08-29T02:16:31Z

Automatically closed due to inactivity

ChuckJonas · 2023-01-02T20:04:51Z

I just experience this bug. Another admin created a collection with "No Access", and only themselves added with Read/Write Permissions. I was able to see this collection for a few minutes and then it disappeared...

As an Admin/User, I still do not want to see everyones private collections, as this makes my end user experience terrible.

thumDer · 2023-03-31T15:15:05Z

Also, if there is a collection with view-only default permission, I can edit its pages, even if I don't have explicit edit permission. It is a bit inconsistent. However, as an admin, there are cases where I wan't to see all of the collections (even private ones).

gemathus added the bug label Apr 25, 2022

tommoor changed the title ~~Sometimes private collections are visible to users without read nor write access~~ Sometimes private collections are visible to admins Apr 25, 2022

github-actions bot added the stale label Aug 24, 2022

github-actions bot closed this as completed Aug 29, 2022

tommoor reopened this Jan 11, 2023

github-actions bot removed the stale label Jan 11, 2023

tommoor added the pinned Will not be closed by stale bot label Jan 29, 2023

tommoor mentioned this issue Apr 29, 2023

feat: Collection admins (#5273 #5273

Merged

tommoor closed this as completed in #5273 Apr 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Sometimes private collections are visible to admins #3454

Sometimes private collections are visible to admins #3454

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Sometimes private collections are visible to admins #3454

Sometimes private collections are visible to admins #3454

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!