Guest role with restricted permissions

[M6Ka7]

If I invite several external users to my outline installation, everyone could see other users who have viewed / edited an article. When you invite external users from company A and from company B they can see each other

• on articles viewed in the past
• on articles edited
• on articles viewed at the moment
• in the settings menu (groups/members)
• maybe other pages

which would be an GDPR incident.

To Reproduce
Steps to reproduce the behavior:

1. Create an external user by inviting per mail
2. Give the user minimal access (viewer)
3. Login with "magic link"
4. Visit settings page and then members or groups
5. Visit an arbitrary page and click the avatar button to see
   • who is online (now)
   • who viewed this page
   • who edited this page

Expected behavior
External users must not see others to avoid GDPR penalties. There should also be an feature to disable the avatar - button on

• user
• role
• login type
• global

level and forbid access to settings menu.

If the disabling is not possible, the information should be anonymized e.g.

• 3 people are watching this article now (instead of User A, User B, User C)
• 24 people viewed/edited this article.

Screenshots

The screenshot is made from an external user which can see other (external users) marked with red rectangle.

Outline (please complete the following information):

• Install: self hosted
• Version: v0.61.1

[Shide]

I was testing Outline for my company and I've found the same issue here.

MT-167 @moduon

[michaelkarrer81]

+1 This may be a blocking issue to use outline in my company.

[rafaelbn]

👍 This is a blocking issue

[tommoor]

It sounds like the ask here is for a "guest" role which is being conflated with viewer.

Guests would have much more restricted data access, potentially only being able to access collections that they are explicitly added to and not have access to settings screens. Does this sound right?

[M6Ka7]

The guest role seems to be the right direction for me. But does not cover it 100%.

The background is: The General Data Protection Regulation, which applies across the EU, threatens up to €20 million (about $22 million USD) for exposure of sensitive (identifying) data.

I would suggest a global switch analogous to FORCE_HTTPS which can (only) be set in the docker-compose.yml file.
This switch removes the User viewing / viewed menu (). For any non administrator users.

The switch should also remove the member settings view for non administator users

Maybe there are further pages I have not discovered yet.

[Shide]

It sounds like the ask here is for a "guest" role which is being conflated with viewer.

Yes.

In my case (I'm evaluation 25 kwnoledge platforms), I have assumed that the Viewer role is the Guest role because all of the other platforms treats "Viewers" as "Guests".

Just for clarify the meaning of Guest for me: An invited "user" that can view/comment content for which they have been invited.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days

[DioneMentis]

@tommoor Form this comment above: #2946 (comment)

Guests would have much more restricted data access, potentially only being able to access collections that they are explicitly added to and not have access to settings screens. Does this sound right?

Not having this is a limitation for our team. We have some collections that contain information for our team only. Equally we need to create collections that can have external editors and viewers.

We think Outline is a really great tool! But this limitation and the inability to share just one doc in a collection (with edit permissions) with a team member or guest will probably turn out to be deal breakers for us.

[M6Ka7]

@tommoor :
Is there a schedule when this feature would be implemented?
Regarding the label "Enterprise" : Private individuals or associations can also be fined for violations of the GDPR.

[almereyda]

Maybe an alternative convention can be to hide member email addresses for any user but admins?

This should be much easier to implement than a new role.

The display of the email address fields must be conditional on a permission in both cases.

[tommoor]

Maybe an alternative convention can be to hide member email addresses for any user but admins?

This is already the case, the policy is defined here:

outline/server/policies/user.ts

Line 63 in 20d85e3

allow(User, "readDetails", User, (actor, user) => {

[tommoor]

This feature is now released in v0.76.0 Business + Enterprise editions, as well as cloud hosted Outline.

[ldpl-shrey]

This feature is now released in v0.76.0 Business + Enterprise editions, as well as cloud hosted Outline.

@tommoor
Are there any plans to enable this feature in the Self-Hosted version also?
If yes, by when?