focalboard icon indicating copy to clipboard operation
focalboard copied to clipboard

Published 20 hours ago verified publisher icon mattermost

Bug: Guests can access boards linked to a channel

Open wuwinson opened this issue 2 years ago • 5 comments

Steps to reproduce the behavior

  1. Invite a guest to a channel
  2. Link boards to the same channel
  3. Login as the guest
  4. Go to the channel and click on the boards linked on the channel
  5. See error - guest is able to access those boards even though they're not an explicit member

Expected behavior

Guests should not have access any board unless they were added as an explicit member. See this thread for reference.

Screenshots (optional)

https://user-images.githubusercontent.com/93531870/188013397-d4bc393e-b5ca-40e7-9d2c-bae016aa9b68.mov

Edition and Platform

  • Edition: Mattermost Boards (plugin)
  • Version: v7.3
  • Browser and OS: Chrome on Mac

wuwinson avatar Sep 01 '22 21:09 wuwinson

@wuwinson should the Linked Channels RHS in Channels be rendered for a Guest user at all then?

Pinjasaur avatar Sep 01 '22 21:09 Pinjasaur

@Pinjasaur Only for the boards where they are an explicit member. Other boards should be hidden.

wuwinson avatar Sep 01 '22 21:09 wuwinson

While testing this locally I realized that this should probably apply to the Search Boards modal, too. Currently a guest can search for a board they are an implicit member of via a channel association. Is that correct @wuwinson?

Pinjasaur avatar Sep 13 '22 22:09 Pinjasaur

Good catch! Yep, guests should not be able to search for any boards they're not an explicit member of.

wuwinson avatar Sep 13 '22 22:09 wuwinson

Good catch! Yep, guests should not be able to search for any boards they're not an explicit member of.

cc @sbishel

Pinjasaur avatar Sep 13 '22 23:09 Pinjasaur