Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard
verified publisher icon RocketChat

fix: show only relevant userInfoActions for mentioned non-members

Open abhinavkrin opened this issue 1 year ago • 10 comments

Proposed changes (including videos or screenshots)

This pull request addresses an issue in the user mention functionality within Rocket.Chat channels. Previously, when a user mentioned another user who was not a member of the channel, the User Info card still displayed options like 'Remove User', 'Set as Leader', 'Set as Moderator', etc., which were not applicable for non-members. This fix introduces a check to determine if the mentioned user is a member of the channel/group. If the user is not a member, it now shows an option to 'Add User' to the channel and omits inappropriate options for non-members.

  1. Implemented an API to verify if the mentioned user is a member of the channel/group/dm.
  2. Display 'Add User' option if the mentioned user is not a member of the channel.
  3. Hide options like 'Remove User', 'Set as Leader', 'Set as Moderator', etc., for non-members.

https://github.com/RocketChat/Rocket.Chat/assets/15830206/ee84cace-8bf8-4030-b1cf-8bf509e47b4b

Issue(s)

When a user mentions another user who was not a member of the channel, the User Info card still displays options like 'Remove User', 'Set as Leader', 'Set as Moderator', etc., which are not applicable for non-members Also Fixes #31712

Steps to test or reproduce

  1. Mention a user who is not a member of the channel.
  2. Observe the options available in the User Info card.
  3. 'Add User' option should be visible while options like 'Remove User', 'Set as Leader', 'Set as Moderator' should not be available for non-members.

Further comments

TC-1079

Justification for New Endpoint room.isMember

We considered using channels.members/groups.members with filters for membership checks but faced issues:

  1. User Matching: Regex filters might return similar, not exact, usernames, causing inaccuracies.
  2. Pagination: If results exceed LIMIT_PER_PAGE, the target user might not appear on the first page, requiring extra API calls.
  3. Performance: Regex searches are slower than direct comparisons. To ensure precise and efficient user membership verification, we introduced the room.isMember endpoint, circumventing the limitations of existing endpoints and ensuring a more reliable and performant solution.

abhinavkrin avatar Jan 24 '24 13:01 abhinavkrin

🦋 Changeset detected

Latest commit: ee1825701c81403c21fb435aae704735f813d399

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 34 packages
Name Type
@rocket.chat/rest-typings Patch
@rocket.chat/meteor Patch
@rocket.chat/i18n Patch
@rocket.chat/core-services Patch
@rocket.chat/ui-contexts Patch
@rocket.chat/account-service Patch
@rocket.chat/authorization-service Patch
@rocket.chat/ddp-streamer Patch
@rocket.chat/stream-hub-service Patch
@rocket.chat/api-client Patch
@rocket.chat/ddp-client Patch
@rocket.chat/omnichannel-services Patch
@rocket.chat/presence Patch
rocketchat-services Patch
@rocket.chat/mock-providers Patch
@rocket.chat/web-ui-registration Patch
@rocket.chat/omnichannel-transcript Patch
@rocket.chat/presence-service Patch
@rocket.chat/queue-worker Patch
@rocket.chat/fuselage-ui-kit Patch
@rocket.chat/gazzodown Patch
@rocket.chat/livechat Patch
@rocket.chat/ui-avatar Patch
@rocket.chat/ui-client Patch
@rocket.chat/ui-video-conf Patch
@rocket.chat/uikit-playground Patch
@rocket.chat/core-typings Patch
@rocket.chat/apps Patch
@rocket.chat/cron Patch
@rocket.chat/model-typings Patch
@rocket.chat/license Patch
@rocket.chat/pdf-worker Patch
@rocket.chat/models Patch
@rocket.chat/instance-status Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Jan 24 '24 13:01 changeset-bot[bot]

Codecov Report

Attention: Patch coverage is 68.42105% with 18 lines in your changes missing coverage. Please review.

Project coverage is 55.59%. Comparing base (e827c58) to head (ee18257). Report is 97 commits behind head on develop.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##           develop   #31525      +/-   ##
===========================================
+ Coverage    55.57%   55.59%   +0.02%     
===========================================
  Files         2633     2635       +2     
  Lines        57229    57275      +46     
  Branches     11851    11862      +11     
===========================================
+ Hits         31803    31844      +41     
+ Misses       22738    22737       -1     
- Partials      2688     2694       +6
Flag Coverage Δ
e2e 54.39% <68.42%> (+0.09%) :arrow_up:
unit 72.10% <ø> (-0.08%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Jan 24 '24 13:01 codecov[bot]

could we not use subscription.getOne endpoint instead?

Hey @debdutdeb, sorry for delayed reply. The use-case is different here, I have created endpoints to check if another user is member of a channel/group/member or not.

abhinavkrin avatar Feb 01 '24 13:02 abhinavkrin

Right. But I don't think you need all these endpoints. Membership is a subscription. So one endpoint should be sufficient, like subscription.exists?uid=..&rid=.... Furthermore, nobody can leave a dm, so a case where you need to check for user exists in a dm or not shouldn't come up in this context.

debdutdeb avatar Feb 05 '24 19:02 debdutdeb

https://github.com/RocketChat/Rocket.Chat/blob/ed451251a3abfd64b26c9bdc8d18e9b84754a1f3/apps/meteor/server/services/authorization/canAccessRoom.ts#L55-L62

debdutdeb avatar Feb 05 '24 19:02 debdutdeb

also idk if client caches the memberlist, might be a good idea to utilize if it does.

debdutdeb avatar Feb 05 '24 19:02 debdutdeb

Right. But I don't think you need all these endpoints. Membership is a subscription. So one endpoint should be sufficient, like subscription.exists?uid=..&rid=.... Furthermore, nobody can leave a dm, so a case where you need to check for user exists in a dm or not shouldn't come up in this context.

Thanks for the input @debdutdeb. I did not know about subscriptions earlier. Indeed, I created an endpoint subscriptions.exists?roomId=...&username=.... to check a user's membership for which I am checking whether a subscription exists for them or not. I have applied appropriate validation so that unauthorized users cannot access this endpoint.

abhinavkrin avatar Feb 07 '24 21:02 abhinavkrin

also idk if client caches the memberlist, might be a good idea to utilize if it does.

This was my initial approach, but the member list functionality does a search and receives a paginated result. So there is no guarantee that the required username would be present in the result or not.

abhinavkrin avatar Feb 07 '24 21:02 abhinavkrin

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Mar 27 '24 09:03 CLAassistant

Looks like this PR is not ready to merge, because of the following issues:

  • This PR is targeting the wrong base branch. It should target 6.12.0, but it targets 6.11.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

dionisio-bot[bot] avatar Apr 12 '24 19:04 dionisio-bot[bot]