Im not sure if its meant to and I just don't have a few of the right permissions set somewhere but I logged in as a non member for testing and realized that from my dashboard I could access any space that was in the reply to feed. I couldn't do anything once there but the fact my test user could see spaces in any feeds he didn't have access to made me do a little more looking around.

I did fix that by adjusting the default dashboard widget which I at sometime clicked the active user (I think that was it) off.

Anyways Even though I could no longer see any spaces in the menu or any feeds I decided to type in the url the name of one of the spaces and it allowed me access. I could not see any tasks or anything else for that matter other than the space default pic and the default recent activity feed.

Id prefer no access at all and a not authorized page to show but if that isn't in OA's scope thats fine. But I really don't think that seeing the activity feed is supposed to happen. Unlike the dashboard I couldn't just select the active user on when I tried to edit the widget. So I tried to limit of groups of current user and a few others but the non member could still see that feed.

Am I missing something, I marked as bug but it could be a support request or something.

Does anyone else have any issues like this

Comments

kevster111’s picture

update: A little more info

The recent activity widget is only doing this in one of my spaces. I can't see what permission is off. Would a permissions rebuild cause or fix this maybe? Any ideas.

hefox’s picture

You don't mention what privacy settings the spaces have or roles the user has. Please provide more detailed instructions.

Also, security issues are suppose to be reported to security team first, and if this is an issue that a private space is viewable to a privileged user, this is likely a security issue (not enough details for me to determine that based on the current report).

try resaving the problmatic space

Argus’s picture

Priority: Major » Normal
Status: Active » Postponed (maintainer needs more info)

@kevster111 please provide more info or close the issue if it is no longer viable.