Spaces: disable filtering option

Thank you for posting this ​@Jef Vanlaer. I hadn’t noticed this myself yet. Full stop on planning roll out of Spaces in my environment until this security gap is resolved.  

cc: ​@manu_mittal ​@jake_ellis 

Oh no! Even starting to talk about Spaces with this kind of security gap is out of the question.
This should be considered a bug, not just a feature request, IMO.

Huge security gap. ​@Jef Vanlaer, massive props on discovering this! 🙌

If we were using spaces, this would be game over before it even started.

​@Jef Vanlaer 
Is the main concern around exposing metadata information to the end user as any filters applied by the end user work as an “AND” condition on top of the filters already configured in the report.
Additionally, the data is restricted to the specific Company or Relationship the user belongs to. Because of this, it is unlikely they would be able to infer any additional data, even by experimenting with numeric filters.

​@ssamarth Even when it is only “AND” and information is restricted to the specific Relationship, customers can figure out the value of other fields on the Relationship by adding a filter on that specific field. Suppose we don’t want the customer to know how many active users they have. They can still add the field ‘Active users’ in the filter and by using the greater than value iteratively, figure out how many active users they have. 

Example: suppose the customer has 50 active users:

• Add filter ‘Active users > 50’ ==> no data shown in report
• Add filter ‘Active users > 49’ ==> data in the report is shown

This way, the customer knows exactly how many active users (50) they have.

Curious if this has been addressed, ​@ssamarth -- we’ve been pushing forward on wanting to roll out Spaces, but if this security gap is still here, we may be forced to build an alternative option.

​@dayn.johnson ​@Jef Vanlaer ​@darkknight 
If we restrict the filterable fields to only those fields which are used in the report. End users could still filter, but only on the object fields  the admin has built report on.

Will that work?

 

​@ssamarth I believe that should work. If those filters work on top of the already present filters, there’s nothing they can expose that isn’t in the report yet. It’s literally the same as downloading the data to Excel and creating a filter there, or just filtering directly on the columns in the report itself.

Well stated, ​@Jef Vanlaer -- this is very similar to wildcard exclusions for the Slack AI app. No objection from me if customers want to filter the data in the report based solely on the data available we’ve made available in the report. My concern was opening up an entire object to the customer. While 99% may never try adjusting the filters -- it only takes 1.