I was just notified by someone on the server that they can access foreign entities (boxes, campfires, etc.) when they are not even authorized in the tool cupboard nor in the same team. I am using the following settings on my .json file:

{
  "AdminCanLoot": true,
  "CanAuthorizeCupboard": true,
  "CanLootBackpack": false,
  "CanLootBackpackPlugin": false,
  "CanLootCorpse": false,
  "CanLootEntity": false,
  "CanLootPlayer": false,
  "CanOvenToggle": false,
  "CanPickup": false,
  "ExcludeEntities": [
    "mailbox.deployed",
    "dropbox.deployed"
  ],
  "UseCupboard": true,
  "UseCupboardInclude": [
    "storage"
  ],
  "UseExcludeEntities": true,
  "UseFriendsAPI": true,
  "UseOnlyInCupboardRange": false,
  "UseOnlyInCupboardRangeInclude": [
    "storage"
  ],
  "UsePermission": false,
  "UseTeams": true,
  "UseZoneManager": false,
  "ZoneID": [
    "12345678"
  ],
  "ZoneManagerIncludeMode": false​

Can someone please help me as to why it is not working? It was working last month I believe.

Perhaps someone used the "share" command on their items.