Doc sharing settings: anyone with the link: no access
Publishing settings: not findable, play mode or view mode (tried both).
When going to the published doc link, the published doc asks for a log in (or request access)
When I change the doc sharing settings to anyone with the link can view, the published doc is visible.
It seems odd that a published doc is dependent on standard doc share settings.
Think of publish mode as simply a slightly different Coda “shell”: instead of the “editor” with all the editing features you only have a “viewer”.
Like Acrobat Pro vs Acrobat Reader, I guess.
(I couldn’t think of examples that are less boomer, sorry )
But the underlying security for actually loading the doc data is the same between the editor and the viewer. If you have access to the doc, you see it. If you don’t, you don’t. If you don’t have editor access to it, you can only view or play it (i.e. not persist changes). If the doc is not visible-by-link, it will ask you for sign in to know who you are and whether you have access to that doc.
Coda tried different ways to reduce friction there. Initially it automatically made the doc view-for-all when you published; if you didn’t want that (e.g. you wanted the “viewer” UI but only share the doc among your team) you had to manually go and remove that permission. That was very confusing and people would accidentally share their docs openly because of that. Now it asks and gives you a choice.
Or, if this will make more sense:
There is a doc with all the data. There are basically two levels of access to it:
Read: see the whole doc data
Write: be able to alter the data in the saved doc
Either of these is set on each of the following audiences (except My Docs, those only have 1 and 3):
anyone
members of workspace (for docs in public folders) or members of a folder (private folders)
individually invited people and Google Groups — separately for each
(there’s also forms but that’s different, let’s not think of that now)
These are set up in sharing settings.
And these apply on any attempts to access the doc: through the editor, through publish mode, and through API (including webhooks — it requires the token holder to have write access to the doc). API can also further limit the scope of each token, but that again is a separate topic.
Thank you for your complete writeup on sharing and publishing. I have published in the past, but it has been a while, I mostly share and use locking schemes to secure my documents (against user mistakes).
I am pretty sure there used to be a few more differences between sharing and publishing, but these days, in particular on mobile, it is pretty much the same, with a little difference in screen real estate with a small advantage for publishing.
Since I set most of my docs standard to no access for people with the link to my doc, the published doc was not accessible anymore.
Although I really feel that Coda should keep the rights to the online doc and the published doc as separate settings, I do agree that there is not really a big risk in setting the entire doc to viewable for people with a link.
Again, thanks for your thorough write up - good for me and probably for many others.