Team Control exposes list of all Clients even when users shouldn't have access to them #776
Description
Description of Issue:
A user attached to a user role created in Team Control add-on will always be able to see a list of all Clients.
Even when that role doesn't have privileges to Manage Clients, or when the sites for which the user role has privileges for are not associated to those clients.
That list of Clients will be visible in the Clients widget on the Overview page.
It will also be visible in the Settings page of a Child Site.
And it will be visible in the Select Sites sidebar, in Clients tab.
Steps to Reproduce:
In Team Control > Roles and Permissions, edit or create a Role.
Disallow the Manage Clients permission and Allow permission to only one of the Child Sites.
Log in with a user belonging to that role.
Visit the Overview page and observe the Clients widget.
Visit the Settings page of the Child Site, and observe the list of clients in the Client dropdown.
Note
If you have a similar issue but the steps to reproduce are different, please open a help ticket for us to review and verify if it's a new issue or part of this one. Thanks!
Reported on: 2025-05-02
Issue confirmed with dev team: 2025-05-02
Resolved: Pending