We manage a large number of sites for an Agency partner. We have created an account and set up Team Control to allow them to work with the sites under a tag assigned to their user role.
However, the agency user can still see ALL of the clients that do not belong to their assigned tag. We see this happening in two areas so far:
-
Overview page, Clients widget. ALL clients visible.
-
Site > Edit Settings screen. They can see ALL clients when selecting from the Client dropdown.
This is both a security and business risk for us. Is there a way to ensure any of the Clients DB calls are filtered to the tags assigned to the logged in user?
Steps to reproduce:
- Create multiple tags, eg. “tag1” and “tag2”. Assign sites to both tags
- Create Clients and attach them to sites on both tags
- Create a role under Team Control. Assign the role to a single tag, eg “tag1”
- Log in as the new user. They will be limited to seeing sites from “tag1”, however they will see clients outside of “tag1” in the different areas.