Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users without permission can open "Create new diskussion" and see all users on the system. #14382

Closed
pbengert opened this issue May 4, 2019 · 0 comments · Fixed by #15212
Closed

Users without permission can open "Create new diskussion" and see all users on the system. #14382

pbengert opened this issue May 4, 2019 · 0 comments · Fixed by #15212
Assignees
@Hudell
Milestone
2.0.0

Comments

@pbengert
Copy link

pbengert commented May 4, 2019

Description:

Users without permission can open "Create new diskussion" and see all users on the system.

I need a system where all users can only see one special user and direct chat with that user.
But but they should not see all the other users nor talk to them.
So I removed all permissions for role user except of: View Direct Messages
Now users cannot create new channels and using the search function they can not see or find other users.
My special user creates a direct message to a normal user, so he can answer.
But now the normal user can click the + sign in die direct message, choose "Create new discussion" and see all the usernames in the "Create new discussion window".
(well they cannot create the discussion, this is okay)

Steps to reproduce:

  1. Go to permissions and remove all permission from group users except "View Direct Messages"
  2. Create 3 new users named "test1" "test2" and "test3"
  3. Log in as admin and send a direct message to "test1"
  4. Log in as "test1"
  5. See if you can find the others users on the system via the find tools (no you cannot get the other users)
  6. Go into the direct message from admin and click the plus sign, go to "Create new discussion"
  7. Go to the invite users field and write "t" and you will see all the other users
  8. You can click on such a user but it is not accepted in the field

Expected behavior:

a) you should not see all the other users, like you cannot find them with the search tool
or
b) you should not be able to open the window "Create new discussion"

Actual behavior:

grafik

grafik

Server Setup Information:

Running in docker 18.09.5 on ubuntu 18.04.2

Rocket.Chat
Version 1.0.2
Apps Engine Version 1.4.2
Database Migration 143
Database Migration Date Sat May 04 2019 19:07:00 GMT+0200 (Mitteleuropäische Sommerzeit)
Installed at Fri May 03 2019 07:22:27 GMT+0200 (Mitteleuropäische Sommerzeit)
Uptime 4 hours, 15 seconds
Deployment ID 6CespCWY5KEBntcy6
PID 8
Running Instances 1
OpLog Enabled
Commit
Hash abf67ce
Date Tue Apr 30 16:58:11 2019 -0300
Branch HEAD
Tag 1.0.2
Author Rodrigo Nascimento
Subject Merge pull request #14339 from RocketChat/release-1.0.2
Runtime Environment
OS Type Linux
OS Platform linux
OS Arch x64
OS Release 4.15.0-48-generic
Node Version v8.11.4
Mongo Version 4.0.9
Mongo Storage Engine mmapv1
OS Uptime 5 hours, 2 minutes, 24 seconds
OS Load Average 0.00, 0.00, 0.00
OS Total Memory 2.96 GB
OS Free Memory 475.57 MB
OS CPU Count 2
Build Environment
OS Platform linux
OS Arch x64
OS Release 4.15.0-1035-aws
Node Version v8.11.4
Date 30. April 2019 22:02

Additional context

Workaround for now:
Disable Discussion completely:
Administrations -> Discussion -> Enable: False
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Hudell Hudell

Labels
None yet
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

[FIX] User's auto complete showing everyone on the server RocketChat/Rocket.Chat
5 participants
@engelgabriel @Hudell @ggazzo @sampaiodiego @pbengert