Security breach in Digest Emails
1 followers
0 Likes
The digest emails contain a summary count link to the number of discussion posts in sub-groups. For one group I'm a manager of, when I get the digest and click on that link, I'm taken to the sub-group recent activity page and I can see all the subgroup discussions, calendar, files, members, etc. The catch is, while I'm a manager of the main group, I am not invited to the sub-group. If I go through the main group, I cannot even see this sub-group.
Seems like this compromises the "privacy" of a sub-group. Is this an anomaly because I am a manager of the main group? Or would this issue occur for any member of the group... i.e. anyone can get into the subgroup via a backdoor of the link in the digest?
1 Reply
Reply
Subgroup Membership is required to post Replies
Join Groupsite Champions now
Suggested Posts
| Topic | Replies | Likes | Views | Participants | Last Reply |
|---|---|---|---|---|---|
| RSVP invites not going out | 5 | 0 | 2653 | ||
| XML Export not working | 4 | 0 | 2101 | ||
| Deleting an Empty Category | 1 | 0 | 1481 |
Hi, Chris. What you're experiencing isn't a security breach -- but it is an inconsistency. As a Groupsite Manager, you do have access to private subgroups today, even if you're not in those subgroups. These subgroups do not show up in your Directory (because they are private); they do not show up in your "My Subgroups" (because you are not a member); but they do show up in your subgroup controls, which are accessible from the MANAGER> Group Settings area.
Members who are not managers and not in a private subgroups do not see Recent Activity for those private subgroups.
The change we need is to have subgroup activity reported in Recent Activity Updates behave the same way for managers as they do for general members. I've opened this request as Ticket #1931.