Serious confidentiality issue
It seems to have very important confidentiality issues in Google Docs :
Access rights and sharing definitions of sub-items are not any more inherited when sharing settings of a collection are changed !
As far as I searched on the help forum, I found almost nothing about this. Thanks if you could lead me to more informations about this and what is done to fix it.
Type of account : Google Apps for Business
Stuff : 50% pc, 50% mac, windows 7, mac os 10.6, chrome, IE, safari.
First notice of the issue :
Two collections has been switched from “All the organization” to “Private”. Sensitive files have been moved to those collections. The next day an employee reports that all sub-items within the private collections were still accessible to all.
We have proceeded to various tests including 1 hour break* and re-logging between steps. Tests have shown that there are no rules to this issue. Some times it works for all sub-items, some times not, some times only for some sub-items. But mostly it does not work properly at all.
This is actually an expected behavior of the collections feature. When you change the sharing settings within the collection, it will not change the settings of the docs within the collection, it will only change the sharing settings of the collection itself.
The docs will retain their original sharing settings. For example, lets say I have Document 1 set at 'anyone in the organization.' If I add document 1 to a collection, and mark that collection as private, document 1 itself will not be a private document, it will still be a 'Anyone in the organization,' document. The only differences, is that people will not have the permission to see my collection and whats in that collection. However, if they were to search for document 1 in their own docs account, that document will still show up.
The sharing permissions for the collection, is for the collection itself. It will not reflect the documents that are in that collection. If you want a document to be private, so that nobody in the organization can view it (except those you have shared it with), you will have to mark that document as private. However, the tricky thing here is, lets say document 1 is already marked as private and you did not add anybody to the sharing permissions list of this particular document. You then add it to a private collection, and share this collection with another user. If this collection is shared with the user, then they will be able to view this private document that is in the collection you shared."
If you change the sharing settings of a collection, the items within that collection should inherit those changes. There are exceptions to this, we've tried to list the intricacies of this here:
Sorry that you were told this was expected behavior, I'll look into where you received your response from, as we want to make sure that people receive the highest quality answers.
I was able to reproduce the behavior you were describing, so you have indeed discovered a bug. We'll look into it right away. One thing I noticed is that if I have the default setting for the domain as "Anyone with the link" and then change documents to private before adding them to a collection, they do inherit the changes in permission as expected. Sounds like you also already have a workaround for, which I'm glad to hear. We want this working better though, of course.
Thanks for posting,
<<Settings of the elements at creation>>
Some community members might have badges that indicate their identity or level of participation in a community.
Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:
- Post an answer.
- Having your answer selected as the best answer.
- Having your post rated as helpful.
- Vote up a post.
- Correctly mark a topic or post as abuse.
Having a post marked and removed as abuse will slow a user's advance in levels.
View profile in forum?
To view this member's profile, you need to leave the current Help page.
Report abuse in forum?
This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.
Reply in forum?
This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.