Other people's courses appearing in Review?

Since last week’s post-mortem, we’ve dug further into this incident and identified the exact circumstances in which folks could view content that they weren’t authorized to see. We’d like to share this context. 

Right now, the Review 360 engineering team is working on developing a team folders feature. This functionality will allow members of the same Articulate 360 team to organize content into folders that are shared with their teammates. 

To build this feature, the team created a process where users’ dashboards receive updates when teammates create new shared content. Last week, the team released a bug where users could receive updates that were not correctly filtered to members of their team. This bug only occurred in a very specific set of circumstances: when a user navigated from viewing Review 360 content back to the dashboard and while the dashboard was still loading.

This error was limited to displaying the content in the user’s dashboard and enabling the user to view the content. The user wouldn’t be able to duplicate, download, export, rename, or move content. 

What’s Next

We’re working through our process for investigating serious incidents, and that means we’ve appointed an internal incident investigator from outside the responsible engineering team. This investigator will interview team members, review code and internal processes, and ultimately make recommendations to address the gaps that this incident exposed. We’ll update you further with an overview of the types of changes we’re making to ensure this doesn’t happen again. 

Please let us know if you have any questions or if we can provide additional context for your team.