I’m a member of the security team. We’re using the Pro plan, and recently, a user was invited into our organization through the following sequence of events:
-
User A (inside the organization) created a file and set access permissions to “Anyone with the link.”
-
User B (outside the organization) accessed the file.
-
User B (outside the organization) then shared the file or granted permissions to User C (also outside the organization).
-
User C ended up becoming a member of our organization.
We contacted Figma, and they confirmed that this behavior is “by design,” and told us that the only way to prevent it is to upgrade to the Enterprise plan.
It seems unreasonable that an external user can effectively accept an invitation into our organization, and we believe this is a serious issue. We wanted to share this so everyone is aware when using Figma.
Additionally, since the file in step 1 was in Drafts, administrators were unable to see it, which affected our initial investigation. We would like administrators to be able to view Draft files as well—or at least see their titles.
