Imported collections get read/write permission initially
Closed this issue · 3 comments
When importing collections, e.g. from Confluence, they are created with read/write permissions, so that initially all Outline users can access the collection.
This is inappropriate for confidential data. We have quite a number of spaces in Confluence which contain data, access to which must be limited to specific users.
Currently, the only thing we can do is update the collection's permissions as soon after the import as we can, but this still leaves a window of opportunity where the collection is readable (and writable) by all users.
To Reproduce
Steps to reproduce the behavior:
- Import data, e.g. using Confluence import, but it's the same for JSON import, for example.
- Wait for the import to finish.
- Navigate to the imported collection's permissions screen.
- The collection's permissions are set to Can edit.
Expected behavior
It would be preferreable to create the collection with No access permission and Admin permission on the collection given to only the user who imported the collection.
This way the final permissions can be decided on after the import by the importing user without risking to leak data.
Screenshots
Current behavior:
Desired behavior:
Outline (please complete the following information):
- Install: self hosted
- Version: 0.76.0-0
According to local testing it could be sufficient to assign null to the collection's permission property in ImportTask.ts, lines 369 and 394. At least if it would be okay for this to be the default behavior. Don't know if it would be necessary to make it configurable though.
I could create a PR if desired.
While I mostly agree, it depends a lot on the content. Really there needs to be a screen as part of the import that lets you choose the permissions per-collection but given the way the import functions this would require a huge refactor to split it into two steps. Outside of that, defaulting to private would create a lot of extra work for the more typical usecase of all the collections being visible.
It sounds like you're using the enterprise edition, if you can email in to support we can discuss how best to move forward.