stream-chat-js icon indicating copy to clipboard operation
stream-chat-js copied to clipboard

Published 20 hours ago verified publisher icon GetStream

User still can send messages to the frozen channel

Open carishkaa opened this issue 3 years ago • 3 comments

👋🏼 Hi,

I tried to freeze channel with

await channel.update(
  { frozen: true },
  { text: 'Channel is frozen now', user_id: id }
)

then send message (UPD: I tried to send messages both on client side, but it didn't work so I tried it on serverside too)

await channel.sendMessage({
  text: 'Try to send message to frozen channel',
  user_id: id,
})

and it doesn't give me any error. I haven't set any special permissions for these users, but I can still send messages to the frozen channel, where could the problem be? The version of GetStream I use: "stream-chat": "^6.5.1", Node.js.

Chat Screen Chat Explorer

carishkaa avatar Jul 21 '22 11:07 carishkaa

I tried to workaround it with

await channel.updatePartial({
  set: {
    config_overrides: {
      grants: {
        user: ["!create-message"],
      },
    },
  },
})

but it didn't work as well. On the other hand disabling the channel works fine, but it's not what I need.

carishkaa avatar Jul 22 '22 09:07 carishkaa

Hello, thank you for posting an issue.

In the provided example there is user_id present for both requests, which seems like using a serverside client for these requests. If this is correct - then it is expected behavior, as such clients do no permission checks. Please see a warning here: https://getstream.io/chat/docs/rest/#server_side

ffenix113 avatar Jul 22 '22 12:07 ffenix113

Hello, thanks for answering.

Yes, I tried to freeze the channel on the server side, but these messages from screen were sent from the client side. Allow me to describe generally what I am trying to do, I may be misunderstanding what a frozen channel is:

My goal is to deactivate a user on the server side and forbid sending messages from another users to the deactivated ones on the client side. I thought that freezing channels (on server side with user_id= id of the user that will be deactivated) match my needs perfectly, but maybe I need to use another functions for this case?

carishkaa avatar Jul 22 '22 13:07 carishkaa

Hi @carishkaa, your staging app has permission checks disabled which would cause this behavior. Please try updating your app and setting disable_permissions_checks: false.

I'm going to close this ticket since this is not related to the JS SDK. If you continue to have problems, please feel free to open up a ticket with our support team.

miagilepner avatar Aug 19 '22 10:08 miagilepner

@miagilepner : I don't see this in the app permission, where do we have to disable this check ?

@miagilepner : How does this work in permissions v2 ?

luvishq avatar Dec 27 '22 18:12 luvishq