If I remove a user (in my case a guest account) from the project, it is no longer visible in their project list, so they cant access is direct, BUT if they have any activity notifications relating to that task, they are able to comment from there.
this should not be allowed if you remove a user from a private project, they should no longer have any access to it. I would also expect the past activities to be hidden but even if they are not, it should not allow them to post new comments.
This is by design Shimon, the whole idea behind task followers is that they should have the necessary rights to view and edit tasks they are a follower in.
Lets say you have a project with many tasks. You can in one of the task add a guest user as a follower and that guest user would only see that task and nothing else within the project. This is one of the best features of our tool to be able to block all tasks in a project but show some of the tasks to the guest users.
I understand the explanation of having information logged and viewable, but I think you are missing my point, if I REMOVE someone from the project, they should no longer have access to it. This is a matter of security and management of information. A removed user should no longer have access. This is especially important with guests, and by definition, those are people outside of your company. It makes no sense that they have lifetime access to a project or information.
In short, I don’t think user rights management and access control has not been properly considered or implemented, not just for this issue, to be honest, I see this across the platform. For example, another ‘BUG’ I am going to add is the way the user list is shown when adding followers to a task. For some reason, a project that is internal and has no guests added to it is showing guest users on the list when I go to add followers to a task. Why are guest users being displayed? they are not part of the project or group and should absolutely not be displayed there as this could easily lead to them accidentally being added. Combine that with the fact you then can not remove their access, and you creating a situation where sensitive company information is permanently accessible to a guest users.
Again, this would not be an issue if removing them also removed all access, but it doesn’t and that is a huge problem.