I have just done some tests to understand what a guest may or may not see in an organization.
For example, here my setup:
- A project A that I keep visible internally, with custom fields that contain confidential information for certain tasks.
- A project B is shared with the client, in which I make some tasks from project A appear.
Confidential custom fields are declared in the project A, but I didn’t add them to project B, but still the values of the confidential fields appear in the tasks shared with the customers.
This doesn’t look good from a security point of view? is this normal or a bug?
I add that projects A and B are both private.
If the confidential custom field is not added to the organization’s library, then not visible by the guests.
If the confidential custom field is added to the organization’s library, then it is visible in grey by the guests, and can be deleted by him (not changed).
So the solution could be to have the custom field not in the library, but if it needs to appear in many internal projects then this is not a solution.
(@Bastien_Siebman it will be in the categories of the weird tests of Bastien & Julien even if in this case it is rather surprising from a security point of view )