user can get document content even after removed in outline/outline
Jul 1st 2022
Admin can add a member to his personal collection .But if admin removed that user from this collection then that user still can see realtime document update content.
Proof of Concept
1. From admin account invite
member role .
2. From admin account create a private collection called
3. From admin account change above collection permission like bellow
Default Access --> No access Additional access --> add user-B here with "view and edit" permission
user-B is member of this collection and can see document of this collection.
4. From admin account add a document
doc-1 to this newly created collection
user-B can edit this document because he is member of this collection.
user-B open this document url
https://myacc.getoutline.com/doc/dco2-LphFaOA1Ls in his browser window and can edit .
All the realtime collaboration data for this document will be available via websocket connection
And thats why Keep this browser window open .
6. Now goto admin account and remove
user-B from this collection .
user-B should not access any document of this collection because user-B is not a member of this collection anymore and default access is "No access".
7. Now admin edit the content of above document
Now this realtime updated content will be visible to
user-B already keep opened his document url window in
Now if admin made any changes to this document content, will be visible to user-B's window in
user-B keep opened his browser window so realtime collaboration websocket connection will be still available .
Any changes made by admin to the document will be available to
https://collaboration.getoutline.com/collaboration/document.1ad60950-9e50-4316-8cd9-6f4ff49d7f31 websocket connection .
user-B removed from this collection but user-B keep that browser window
opened and thats why collaboration websocket connection still alive and
user-B get realtime updated data .
I have checked after 30 minutes of removing
user-B from collection and
user-B still receiving data via this websocket .
user-B can get realtime collaboration data for long time after removed if he can makes the above websocket connection alive for long time .
unprivileged user can get realtime collaboration data even after removed from collection