element-web icon indicating copy to clipboard operation
element-web copied to clipboard
verified publisher icon element-hq

"Remove" button is available to users without "m.room.redaction" permission

Open AndrewFerr opened this issue 3 years ago • 1 comments

Steps to reproduce

  1. Set the power levels of a room so that redact <= level of a designated user < events: m.room.redaction
  2. As someone other the designated user, send a message in that room
  3. As the designated user, hover over a message & click on the "..." button

Outcome

What did you expect?

Since the acting user doesn't have a power level high enough to send redaction events, there should be no option to remove the message.

What happened instead?

The "Remove" button is visible, and clicking it fails with M_FORBIDDEN, as it should per spec.

Notably, the "Remove" button does not appear on messages sent by yourself; it only appears on messages sent by others.

Operating system

No response

Browser information

No response

URL for webapp

No response

Application version

Element version 1.10.12

Homeserver

No response

Will you send logs?

No

AndrewFerr avatar Jun 17 '22 18:06 AndrewFerr

Feels like the check is a bit weird if it's hiding it for self-sent messages (as it should) but not for other people's messages. Sounds like a missed case in the if/else ladder somewhere.

turt2live avatar Jun 17 '22 19:06 turt2live

Hi , I am starting working in this isssue

jayp5545 avatar Jan 28 '23 14:01 jayp5545

Can some help to reproduce this issue locally ? Is it possible to explain this Set the power levels of a room so that redact <= level of a designated user < events: m.room.redaction

hussainmustafa95 avatar Feb 27 '23 21:02 hussainmustafa95