boonebgorges
commented
8 years ago Hi @freiwerk - Thanks for opening the issue.
The plugin is designed to keep off-limits Docs out of all contexts - including "all documents". Here's an example:
- Create a Doc, and under the Access tab, set "Read" access to "Doc author only"
- As a non-logged-in user, visit /docs/
In my testing, I don't see the new Doc as the non-logged-in user.
Can you give more details about your setup? Can you give specific steps that I can take locally to replicate your situation, where a non-public Doc can be viewed in a directory by a user who shouldn't be able to see it?
ghost
Hi there,
I run a webseite which is used as a communication platform for cultural assocations. In the groups, the members do share documents, some of it with sensitive information like adress data and meeting protocols.
In the past we had some troubles with security in wp_docs, as the standard privacy settings had a bug some time ago (all docs public to anyone) and all the documents got indexed by Google. The groups itself were private, but all documents were listed in the "all docs" page.
Now privacy settings are back, but still security as an issue, as the "all docs" page still lists all documents from private groups and shows filenames, contributors and excerpts (which is the reason we deactivated the excerpt). The meta data delivered by the plugin still allows to gain sensible information.
Out of this reason I have blocked the "all documents" page with a trick: I create a FTP subfolder "docs" in the webserver to destroy the permalink and placed a .htaccess with a redirect to "my-group documents". This was still not enough, as page 2 onwards was still indexed by Google. Now i blocked this by creating a subfolder in "docs" called "page".
However, this is not a really a good workaround and I feel that more users my run into this trouble without knowing it. So I would like to ask you: Is it really useful that the "all documents" page lists documents from private groups? In my opinion the plugin simply shouldn't list documents that I am not allowed to see...
Thanks for your time and your comments.