Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard

Published 20 hours ago verified publisher icon RocketChat

Privacy: Disable/Hide complete list of user

Open Quadrocompile opened this issue 4 years ago • 11 comments

Description:

We'd like to host RC for our organization. However, there are privacy concerns regarding the feature that allows user to see the list of all user in the system and the possibility to DM them. We are able to hide the user list with the embedded-layout. However, when using the app, the user list feature is always enabled.

Steps to reproduce:

Persistent behavior

Expected behavior:

Switch to disable the complete user list in order to appease 'privacy fanatics'.

Suggested workaround / Request

The easiest solution that comes to my mind would be to alter the query that fills the list in such a way, that the server would only return an empty record. That would be a crude workaround but nevertheless it would work well in our scenario.

Could you please advise if such workaround would interfere with the rest of the application. And if not: could you please provide me insight, which api hook is used to query the complete user list, in order to alter the servers response to never return any user at all.

Actual behavior:

Currently, there is a list of all users signed up on the server. This can be hidden when using the embedded mode, however, it is always visible to users using the app.

Server Setup Information:

  • Version of Rocket.Chat Server: 3.5.3
  • Operating System: Ubuntu 20.04
  • Deployment Method: snap
  • Number of Running Instances: 1
  • DB Replicaset Oplog: -
  • NodeJS Version: 12.16.1
  • MongoDB Version: 4.0

Client Setup Information

Any

Additional context

Relevant logs:

Best regards

Quadrocompile avatar Aug 21 '20 10:08 Quadrocompile

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 20 '20 12:10 github-actions[bot]

We'd like to at least be able to hide the email.

pierreozoux avatar Mar 05 '21 17:03 pierreozoux

Hello, any news around here maybe? Hiding emails would already be great.

ImaCrea avatar Jun 25 '21 08:06 ImaCrea

Actually @ImaCrea maybe we see emails because we are admin. I didnt consider this, I'll try again when in front of a laptop.

pierreozoux avatar Jun 28 '21 09:06 pierreozoux

Not sure you can see emails unless you are admin?

Please confirm this?

johncrisp avatar Jun 28 '21 09:06 johncrisp

(and please test on 3.16 !!)

johncrisp avatar Jun 28 '21 09:06 johncrisp

Yes, I confirm that if you are not admin, you don't see emails. (Except if the username is the email, but well, we can't do much on that case :) )

pierreozoux avatar Jul 27 '21 09:07 pierreozoux

Is there any progress on this? We want to facilitate several teams/customers using RC but we (and or customers) don't want the option that everybody can invite everybody to a channel/discussion.

  • Version of Rocket.Chat Server: 4.2.2

2old4it avatar Jan 04 '22 14:01 2old4it

I suppose there is no action to have this ability. I hope someone picks this up as it would be a great security feature for this app

gstlouisgit avatar May 19 '22 12:05 gstlouisgit

uncheck the “view outside room” in the Permissions setting

avenger2005 avatar Sep 05 '22 06:09 avenger2005

uncheck the “view outside room” in the Permissions setting

Seems to do the trick! Thanks

bndrgroup avatar Sep 21 '22 08:09 bndrgroup