I used to be part of a volunteer organization that is a loose confederation of local chapters that are all kept in line with a bit of copyright law by the original chapter. The central council that meets nationally on a monthly basis is organized almost entirely through Google Drive.
The problem with the Business side of Drive is how Google conflates Groups, the message board/mailing list product with Groups that you apply permissions to. The chapter I belonged to had our own Google Apps domain. My account on that domain was added to one of the mothership's Groups so I would get announcements and participate in discussions.
Unknown to them, that Group inherited a lot of default permissions from their Shared Drives. I couldn't get to the drives by browsing, but if I searched for terms that matched documents in those shared drives, I could open the documents AND open the containing folder. At which point I could browse up to the root of the shared drive.
I reported it on the sly, one Mistress of Webs to another. We had a good "holy sh** what?!" laugh about it.
It got fixed but as I've spoken to people at other NPO orgs that use Google apps, I've found that most have had the same mess happen: A group with external members was created as a convenient mailing list. Then, later they discovered that if the external member was also a Google for Business account they "inherited" some interesting access to things in Drive.
The problem with the Business side of Drive is how Google conflates Groups, the message board/mailing list product with Groups that you apply permissions to. The chapter I belonged to had our own Google Apps domain. My account on that domain was added to one of the mothership's Groups so I would get announcements and participate in discussions.
Unknown to them, that Group inherited a lot of default permissions from their Shared Drives. I couldn't get to the drives by browsing, but if I searched for terms that matched documents in those shared drives, I could open the documents AND open the containing folder. At which point I could browse up to the root of the shared drive.
I reported it on the sly, one Mistress of Webs to another. We had a good "holy sh** what?!" laugh about it.
It got fixed but as I've spoken to people at other NPO orgs that use Google apps, I've found that most have had the same mess happen: A group with external members was created as a convenient mailing list. Then, later they discovered that if the external member was also a Google for Business account they "inherited" some interesting access to things in Drive.