Skip to main content

Security FAQ

Can one user see every board in the system?

No. Users only see boards they own or boards explicitly shared with them.

Can a read-only user modify content?

No. Read-only permissions cannot create, update, or delete board content.

Only the board owner can share or unshare access.

What happens with invalid or missing authentication?

The request is denied and the service returns an authentication challenge.

Is access control done in the client or on the server?

On the server. Every operation is validated server-side before data is returned or changed.

Can automation bypass normal permissions?

No. Tool handlers enforce the same permission model for all callers.

What should we verify during adoption?

Owner can share and unshare.
Shared-write can edit but not manage sharing.
Shared-read can view but cannot edit.
Unshared users receive access denied.

Can one user see every board in the system?
Can a read-only user modify content?
Who can share a board with others?
What happens with invalid or missing authentication?
Is access control done in the client or on the server?
Can automation bypass normal permissions?
What should we verify during adoption?