Private Portfolio Visibility Bug

Austin_Bouck · 16 October 2024 19:14

Hi, I found a privacy bug yesterday. It turns out that if a project has been assigned to a private portfolio of another user, the name of that portfolio can be seen at the project level by users without access to the private portfolio.

E.g. if Project “Moon” gets added to my supervisor’s private portfolio “project’s likely to fail”, then even though they created that portfolio for their own private use, any user can see that the project has been added to a portfolio of that name by looking above the project name at the project level.

Not a huge security bug, but private portfolios should be entirely private.

lpb · 17 October 2024 05:43

@Forum-team, fyi, in case you want to escalate because this is privacy-related.

Thanks,

Larry

Julio_V · 18 October 2024 14:57

Hi @Austin_Bouck

I’m sorry for the inconvenience you’re experiencing. We are investigating from our side and will follow up with you shortly.

Thank you for your understanding!

Thanks for flagging @lpb

Vanessa_N · 18 October 2024 18:53

Hi @Austin_Bouck and @lpb, thank you for your patience, and I apologize for the trouble. We’ve been running some tests internally to replicate the issue. However, after several tests with different user permissions, the portfolio name did not appear at the project level for the user who was not a member of the private portfolio. This doesn’t seem to be a widespread issue. Here are the screenshots of test project we used to troubleshoot this:

Project view for portfolio owner/member:

Project view for project admin who is not a member of the private portfolio:

Austin, can you double-check the portfolio privacy settings just to be sure it’s private to members, and that the user is not a member?

Unfortunately, we don’t have the tools or access to account details to investigate this further here in the Forum, so the best option would be to reach out to our Support Team.

Please note that some users are running into an authentication error when trying to log into our new Help Center (a fix is on the way!). In the meantime, please use one of these workarounds if you run into the same issue in the Help Center:

Option 1: Access our Help Center in an incognito browser window and start the chat via the button at the bottom right without logging in. This way, you will not run into the authentication issue that is still in the process of being fixed.
Option 2: If incognito mode doesn’t work on your end, please use this temporary form to submit your request to our Support team.

To expedite the process with Support, please include the following information in your request:

The URL link for the project in question
The email address of the user who is able to view the project name, although they should not have permissions
Screenshot of the issue.
Feel free to also include the link to this Forum thread for reference

Thank you!

Austin_Bouck · 18 October 2024 22:03

Thank you for the response, I am unable to dig in further on the specific incidence here on site, but will try to replicate the issue on my end and let you know if I find a way to do so.

Topic		Replies	Views
Portfolio and Private Projects Tips and Tricks	2	1640	21 February 2022
Permissions in Portfolios Tips and Tricks portfolios	4	1959	21 June 2022
Portfolios Tips and Tricks	5	2912	5 February 2021
Portfolio does not show project when you are not assigned to the project Product Feedback portfolio	10	2855	18 November 2024
Users can see private projects Team Onboarding	7	4904	6 September 2017

Private Portfolio Visibility Bug

Related topics