Team Control: Users can see Clients from other tags

torchmedia · May 1, 2025, 12:54pm

We manage a large number of sites for an Agency partner. We have created an account and set up Team Control to allow them to work with the sites under a tag assigned to their user role.

However, the agency user can still see ALL of the clients that do not belong to their assigned tag. We see this happening in two areas so far:

Overview page, Clients widget. ALL clients visible.
Site > Edit Settings screen. They can see ALL clients when selecting from the Client dropdown.

This is both a security and business risk for us. Is there a way to ensure any of the Clients DB calls are filtered to the tags assigned to the logged in user?

Steps to reproduce:

Create multiple tags, eg. “tag1” and “tag2”. Assign sites to both tags
Create Clients and attach them to sites on both tags
Create a role under Team Control. Assign the role to a single tag, eg “tag1”
Log in as the new user. They will be limited to seeing sites from “tag1”, however they will see clients outside of “tag1” in the different areas.

bojan · May 1, 2025, 2:28pm

Hey @torchmedia

Welcome to the MainWP community!

We are aware of an issue with the Clients widget on the Overview page, where it will list all Clients in the scenario you described.

In fact, that widget will list Clients even if no tags or sites are given to a Team Control role, and Manage Clients permission is also withheld.

Have you noticed this issue in other areas of the Dashboard or just in the Clients widget?

torchmedia · May 1, 2025, 5:19pm

Yes, if a user under a Team Control role edits one of their sites.

On that screen there is the dropdown selector for Client. That dropdown lists all clients available in the dashboard, not scoped in any way.

bojan · May 1, 2025, 6:56pm

Thanks, @torchmedia.

I’ve managed to reproduce that issue as well and passed it onto our dev team.

It will be fixed in an upcoming release.