I have just done some tests to understand what a guest may or may not see in an organization.
For example, here my setup:
A project A that I keep visible internally, with custom fields that contain confidential information for certain tasks.
A project B is shared with the client, in which I make some tasks from project A appear.
Confidential custom fields are declared in the project A, but I didn’t add them to project B, but still the values of the confidential fields appear in the tasks shared with the customers.
This doesn’t look good from a security point of view? is this normal or a bug?
I add that projects A and B are both private.
If the confidential custom field is not added to the organization’s library, then not visible by the guests.
If the confidential custom field is added to the organization’s library, then it is visible in grey by the guests, and can be deleted by him (not changed).
So the solution could be to have the custom field not in the library, but if it needs to appear in many internal projects then this is not a solution.
Julien
(@Bastien_Siebman it will be in the categories of the weird tests of Bastien & Julien even if in this case it is rather surprising from a security point of view )
We knew that for a long time, I raised the issue couple of months ago and have been warning people ever since I recently learned that if the fields are not part of the library, you are fine though.
Hi @Julien_RENAUD, I investigated this further and I confirm this is currently working as expected. Marie had also a similar question before and she sent more information here:
I just read the post you are referring to, and it is now closed.
Will the security be improved soon by the development team ? because I totally agree with those who wrote in the post, that’s how it works today but it’s a big security flaw. And I thank @lpb for trying to propose alternatives, but it’s too complicated to implement at customers, it makes the use of Asana too subtle and counter intuitive.
Hi @Juan_Diego
I’m now facing the same difficulty you had with visible custom fields when I didn’t think it would be the case, as you explained in the following post:
I find it difficult to find a simple and intuitive solution to implement.
The post is more than a year old, what solution did you finally put in place?
Other @cpforumleader, feel free to jump in the conversation, and if you have a solution that can be used by a non-expert Asana customer, then you’ll make my day awesome
We need to add freelancers to projects but don’t want them to see payment amounts of each other which are registered in custom fields. To do it we need to manage all our money deals in Google Sheets. It leads to additional actions and decrease usability of project dashboards in Asana. Possibility to limit access to some custom fields for guests would be really helpfull.
Мария_Чекмарева did you consider having those financial fields as custom fields of another project, use multi-homing and keep those fields out of the library?
It is great idea, thank you so much! The only problem is that project dashboard will not full enough and PM will need to do more actions to analyse project KPIs during and after project.
even if in this case it is rather surprising from a security point of view 
)
I recently learned that if the fields are not part of the library, you are fine though.
