[BUG] non owner can add any user/bot to channels

[localguru]

• Operating System / Version / Architecture (64 bit?): Ubuntu 16.04 LTS, 64 bit

• Browser type & Version: Firefox 54.0 (64-Bit)

• Desktop Environment (if desktop app) / Version: Linux, Rocket.Chat+ Version 2.8.0

• Rocket.Chat Version: 0.57.1, self build bundle

• Running Instances: 1

• DB Replicaset OpLog: yes

• Node Version: 4.5

• mongodb-org: 3.4.5

• Actual behavior (In other words, the "bug")

Entering a (public) channel as non owner it's possible via @username post to add any user and even bots to a channel. The Members List of a channel does allow adding others only to the owner, just as REST API channels.invite results in error-not-allowedfor any non-owners to invite other users.

In particular the possibility for any user to add bots to any channel at will might be a security issue.

• Expected behavior

Adding users to channels should be only allowed to channel owner, unless a user enters a channel by his own. Using @username by a non owner in channels should be handled like in private rooms.

If this is an expected behavior then the bug is the inconsistency in permissions of Members List and REST API channels.invite to the possibility of adding users just via @username post.

• Can it be reproduced? If yes, how?

Enter a channel as non owner and type e.g. @hubot -> hubot Has joined the channel.

• Screen shots

• related issues

#2588 #7489

[geekgonecrazy]

@localguru this is by design. A private channel this is not possible and does exactly what you say. But a public channel is designed to be fluid to allow mentioning and bringing people into the conversation.

Closing since not a bug. Also this discussion already exists: #4286

[localguru]

@geekgonecrazy good to know. But then I don't understand why I can't add users as non owner just via Members List of a channel or by REST API channels.invite. This is a inconsistent then. And in case of a bot I'm not sure if this is a good idea at all.