Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard
verified publisher icon RocketChat

[FIX] Enforce "add-user-to-joined-room" permission in public channels while mentioning non-participant users #15955

Open aKn1ghtOut opened this issue 6 years ago • 4 comments

[FIX]

Closes #15955

https://rocket.chat/docs/user-guides/channels/

The current server allowed general users to add users to public channels without the "add-user-to-joined-room" permission by mentioning them. This allowed users to spam other users just by mentioning them in public channels and completely bypassed the permission system. I added an additional check while adding-and-notifying users mentioned in channels making sure that the user has the "add-user-to-joined-room" permission. If not, the mention does not add or notify the mentioned user, and instead just stays as a mere reference to the user, as happens in private chats. The reference to the behavior from private chats is important because you can't include mentioned users in the conversation there, and the exact same behavior is expected when the user doesn't have enough privileges to add users to the current channel.

In the below screenshots, player1 has the "add-user-to-joined-room" privilege, player2 doesn't, and player3 hasn't joined the channel. The first screenshot depicts the behavior before, and the second one depicts the behavior after.

Before After

aKn1ghtOut avatar Dec 12 '19 20:12 aKn1ghtOut

@MartinSchoeler Apologies for the disturbance, but can anyone have a look? The PR has been lying around for a while now.

aKn1ghtOut avatar Dec 21 '19 17:12 aKn1ghtOut

If someone could have a look please @gabriellsh @MartinSchoeler

aKn1ghtOut avatar Mar 29 '20 10:03 aKn1ghtOut

thanks @aKn1ghtOut for your contribution.. but I'm not sure this is the behaviour we'd like to have for the add-user-to-joined-room permission.. It is used to allow room owners and moderators do invite other users to private groups.. and we don't verify it in the case you described because everyone (that has view-c-room permission) can join public rooms by them selves, so mentioning is something like an "invite".. I also have to say that we have plans already to change this behaviour that mentioning someone would actually add that person to the channel.

but I still would like to hear opinions from @engelgabriel and @rodrigok on this matter.

sampaiodiego avatar Apr 15 '20 21:04 sampaiodiego

I did wonder if there this wasn't a bug, being new to Rocket.Chat. The issue this is addressed to seemed meaningful to me at the time but what you're saying does make sense too. I was thinking more in terms of open communities like open.rocket.chat or blender.chat where this might potentially cause nuisance. In a workplace installation however, I can completely see how the current handling is the best approach.

aKn1ghtOut avatar Apr 15 '20 22:04 aKn1ghtOut