Modmail icon indicating copy to clipboard operation
Modmail copied to clipboard

Published 20 hours ago verified publisher icon modmail-dev

Configuration for ticket channel names

Open nitrofski opened this issue 3 years ago • 3 comments

Is your feature request related to a problem? Please elaborate.

Private channels in discord cannot be accessed, but can still be discovered by can be discovered using third-party clients. This allows anyone to view the names of the currently open tickets. Since the current ticket name is the mangled ID of the Discord user that opened the ticket, anyone can theoretically see who has opened a ticket. One of the main reason we use Modmail is to keep all information relating to ongoing issues private, having the user ID in the channel name is problematic.

Describe the solution you'd like

A configuration to change the channel naming strategy.

Optionally, changing the default channel naming to the more anonymous version so other servers are not surprised by the channel discoverability issue.

Does your solution involve any of the following?

  • [ ] Logviewer
  • [X] New config option

Describe alternatives you've considered

Opening threads in a single channel instead of completely new channels — threads are short lived, so unless Modmail continuously refreshes it this would not be viable

Who will this benefit?

Everyone concerned about secrecy.

Additional Information

No response

nitrofski avatar Mar 24 '22 14:03 nitrofski

As mentioned in #2982, plugins can now extend Bot.format_channel_name(bot, author, exclude_channel=None, force_null=False).

In addition, a variety of config options have already been added regarding channel names such as use_timestamp_channel_name.

As such, custom channel names are now further out of the scope of Modmail and plugins should be the ones extending this functionality.

fourjr avatar Apr 24 '22 12:04 fourjr

Would it be a good idea to have a configuration which allowed randomized names/numbers? While this would make it difficult for moderators to keep track of whose ticket is which it would help people who are concerned about privacy/secrecy

Atharv-Agarwal avatar Apr 25 '22 05:04 Atharv-Agarwal

https://github.com/kyb3r/modmail/commit/17b2f89e9ae402b27516c86562a7d67c0008ed7f adds a use_random_channel_name in v4-dev12.

The algorithm for this random channel name is as follows:

  • Using a portion of the token and the user ID, an MD5 hash is created.
  • The last 8 characters of this MD5 hash is used for the channel name.

This accomplishes the following objectives:

  • A random channel name that is not immediately tied to anything.
  • A form of familiarity for same users (identical hash for identical bot+user combination) to quickly notice spammers
  • Non-reversible: Hashes are by nature, irreversible and anyone knowing simply the channel name is not able to obtain the bot token or the user ID. Furthermore, only a portion of the hash is displayed, making it literally impossible to reverse.
  • Due to the hash incorporating the bot token, malicious actors without the token cannot bruteforce all possibilities to find out the recipient of a channel.

fourjr avatar May 03 '22 14:05 fourjr