Skip to main content

  1. Unintended Permission Escalation

  • Drafts are mandatorily tied to teams in current version

  • Sharing a view-only Draft link grants recipients access to ALL files within the parent team

  1. Flawed Permission Management

  • Shared users don't appear in sidebar Admin panel (Edu plan)

  • Removal requires hidden path:
    All Projects → Team name dropdown → Member list

  1. Security Risks

  • Uncontrolled permission scope may lead to data breaches

  • Obfuscated management path increases operational risks

  1. Reproduction Steps
    ① Create Draft under any team
    ② Generate/view-only link and share
    ③ Recipient gains access to entire team files
    ④ Removal attempt fails in Admin panel
    ⑤ Must use: All Projects → Team dropdown → Manage members

Hi ​@Chaos_Max, thanks for letting us know about this!
 

So, you invited someone to a draft file in an Edu team with view access, but they can see other files in the team too, right? We totally understand your concern.

 

Even though I know your case is different, it really sounds like they might have been invited to the team, and not just had the file shared. I gave it a try, but everything worked fine for me; I couldn’t replicate what you’re seeing.

 

I'm going to get our support team to look into this by opening a ticket for you. They'll email you soon at the address we have on file.

When you reply to that email, please include:

  • The draft file URL
  • The account you invited
  • A screenshot or video of the problem

Thanks again for your help and understanding!

Terms & ConditionsCookie settingsAccessibility statement