Clicking collaborator avatars takes users directly to whatever page and content the collaborator is viewing. This bypasses User() filters AND grants access to hidden pages, exposing confidential data through normal UI interaction. This is a security vulnerability that has been around for too long. It’s hard for me to understand.
Real impact:
-
Multiple teams report this as a complete showstopper for sensitive workflows
-
Enterprise customers are choosing other platforms specifically because of this
-
Personally, I need to share information with different people who shouldn’t be able to access one another’s content. This makes it impossible.
Why this needs urgent attention: A UI feature that systematically bypasses the access controls Coda provides is a security flaw. Support’s response that this is “not a bug with no plans to fix” doesn’t match the severity of what’s happening.
This has been reported repeatedly: Multiple bug reports and feature requests over the years, with minimal acknowledgment or updates. For a security vulnerability affecting business-critical data, this silence is really concerning.
This could be a quick fix: With phase 3 of the shared pages program taking FAR longer than expected, this needs addressing sooner. A temporary solution would be to hide collaborator avatars entirely. I understand this would be annoying for some users, so make it a doc-level optional setting where doc makers can choose whether to show or hide avatars.
I’m spending a lot of time and energy building with Coda because I think it’s a great product, but this kind of neglect erodes trust. I’d really appreciate an update on whether a fix is planned.