Google Sites Sharing Issue

posted 27 Mar 2012, 04:27 by Philip Ridout   [ updated 8 Sep 2015, 02:53 ]

The Issue

The Google Sites help page states that: "anyone you set as "Can view," "Can edit," or "Is owner" must have a Google Account or Google Apps Account to share your site".  What it doesn't tell you is that if you send a 'can view' or 'can edit' site sharing invitation to an email address that doesn't have an associated Google Account, the link that is sent to that email address can be used by ANYONE who gets access to it who has a Google account to gain access to your site. (It is not possible to send a 'Is owner' invite to a non-Google account).
Accounts that have been added in this way are denoted by an 'envelope' icon which shows the message below when you hover over it.


What this means

A user, Alice, has two email addresses: myaddressNG@domain.com which is not associated with a Google account and myaddressG@domain.com which is associated with a Google account.

I send a site sharing invitation to myaddressNG@domain.com.

If I have not checked the "notify people by email" box, I will see a message that tells me:
You are trying to invite myaddressNG@domain.com. Since there is no Google account associated with this email address, you must check the "Notify people via email" box to invite this recipient.

If I check the "notify people by email" box, a share link will be sent to Alice by email and I will see a message that tells me:
You are sending an invitation to myaddressNG@domain.com. Anyone holding this invitation will have access.

Alice receives the email. She clicks on the link in the sharing invitation.
  • If she is not signed in to any Google account, she will see a Google sign-in screen.
  • If she signs in to (or is already signed in to) her myaddressG@domain.com Google account she may see:

  • If she clicks on 'Accept Invitation' (or the Site owners are already in her Google contact list) her email address myaddressG@domain.com will be added to the access control list with the level of access (edit or view) you specified when issuing the share invitation. Note that this is NOT the email address that the original invitation was sent to. That email address will still also appear in the site sharing list.

The really big issue

  • If she then forwards that link to someone else, if they have a google account they can also add themselves to the access control list using that link.

How to revoke the link

If you do invite someone to share using this option, you can invalidated the link that was sent by removing the user(s) (denoted by an 'envelope' icon) the link was sent to. Although this will revoke the link, you may still need to manually remove any users who have already added themselves using this link.

My recommendation to avoid this issue

Unless and until Google change the way this works, my recommendation is NEVER to check the 'Notify people via email' box when you add people UNLESS the email addresses you have selected have associated Google accounts (you will get an information message about this - see above). Instead, uncheck that box and send them a link to the site in a separate email.


Why might this be useful?

If you want to give access to a number of people without having to explicitly add them the either the site share list (or a Google group that you are using to control access to the site - see Control Access with Groups) you can send a share invitation to a non-Google account email address and then forward that link to the people you want to give access to. Just be aware that there is nothing to stop them forwarding the link to anyone else.

Comments