Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can start meeting in a channel that they do not have appropriate permissions to post in #223

Closed
ewwollesen opened this issue Aug 23, 2021 · 5 comments · Fixed by #233
Closed

User can start meeting in a channel that they do not have appropriate permissions to post in #223

ewwollesen opened this issue Aug 23, 2021 · 5 comments · Fixed by #233
Labels
Hacktoberfest Help Wanted Community help wanted Type/Bug Something isn't working

Comments

@ewwollesen
Copy link

I don't know if this is necessarily a Zoom plugin issue, but since it was the Zoom plugin where I noticed it I thought I would start here and then if I need to open an issue in the main MM repo then I can do that or maybe it's just a config setting on our end.

We have a channel that we have effectively made read-only using channel moderation so that only channel admins can post. However, the other day someone who is not a channel admin was able to click the Zoom plugin button in the channel and it posted the "I have started a meeting" dialog to the channel.

Is there a way to prevent this?
@hanzei hanzei added Help Wanted Community help wanted Type/Bug Something isn't working Up For Grabs Ready for help from the community. Removed when someone volunteers labels Aug 24, 2021
@mickmister mickmister changed the title Plugin Ignores Channel Permissions Plugin creates posts in read-only channels Aug 25, 2021
@mickmister
Copy link
Contributor

@ewwollesen Would you expect someone that is indeed a channel admin to able to use the plugin to create a meeting in the read-only channel?

@aaronrothschild What are your thoughts on this?

@mickmister mickmister changed the title Plugin creates posts in read-only channels User can start meeting in a channel that they do not have appropriate permissions to post in Aug 25, 2021
@ewwollesen
Copy link
Author

@mickmister Yeah I think from my perspective I would expect the plugin to follow the permissions set for the channel based on whoever pressed the button/used the slash command. So if a user has permissions to post then the "join meeting" dialog would post to the channel, but if they didn't it would give them an error.

I will say that in the grand scheme of things this is a pretty minor. We only have like two channels out of thousands where we have permissions set like this, but I thought it was worth mentioning anyway.

@aaronrothschild
Copy link
Contributor

Agree with Wayne, it's minor but could be a way around for some to cause havoc because those "read-only" channels are usually populated with "Everyone at the organization" and is used for mass announcements, etc. So this could be a fairly visible "bypass".

I believe we now post "as the user" to the channel....I guess Plugins can simply post on behalf of a user, even if that user cannot post to the channel? I think we should check that the user has permission to post to the channel and block it if they don't have access for now.

Side Note for @mickmister The longer term answer is IMO A zoom App which has scopes that limit what the bot can post in channels based on the user's permissions in that channel. We should enforce that a bot cannot post on behalf of a user in a read-only channel that the user doesn't have access to.

@mickmister
Copy link
Contributor

Side Note for @mickmister The longer term answer is IMO A zoom App which has scopes that limit what the bot can post in channels based on the user's permissions in that channel. We should enforce that a bot cannot post on behalf of a user in a read-only channel that the user doesn't have access to.

@aaronrothschild This should already be covered, since the user wouldn't be able to do that with their token anyway

@maisnamrajusingh
Copy link
Contributor

This is similar to the msteams issue, so will work on this once we resolve that one. mattermost/mattermost-plugin-msteams-meetings#29

@maisnamrajusingh maisnamrajusingh removed their assignment Sep 7, 2021
@mickmister mickmister removed the Up For Grabs Ready for help from the community. Removed when someone volunteers label Oct 8, 2021
@jupriano jupriano mentioned this issue Oct 15, 2021
Merged
jupriano pushed a commit to jupriano/mattermost-plugin-zoom that referenced this issue Oct 23, 2021
@xantabdoc
Fixing CircleCI Test (mattermost#223)
caace5d
jupriano pushed a commit to jupriano/mattermost-plugin-zoom that referenced this issue Oct 25, 2021
@xantabdoc
Fixing CircleCI Test (mattermost#223)
3f1a743
@hanzei hanzei linked a pull request Oct 26, 2021 that will close this issue
[MM-223] Fixing Post Permissions Access #233
Merged
jupriano pushed a commit to jupriano/mattermost-plugin-zoom that referenced this issue Nov 4, 2021
Fixing Post Permissions Access (mattermost#223)
88ad0af
jupriano pushed a commit to jupriano/mattermost-plugin-zoom that referenced this issue Nov 4, 2021
Fixing Post Permissions Access (mattermost#223)
ae36c46
jupriano pushed a commit to jupriano/mattermost-plugin-zoom that referenced this issue Nov 4, 2021
Fixing Post Permissions Access (mattermost#223)
3b99b92
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Hacktoberfest Help Wanted Community help wanted Type/Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[MM-223] Fixing Post Permissions Access jupriano/mattermost-plugin-zoom
6 participants
@aaronrothschild @cpanato @mickmister @hanzei @ewwollesen @maisnamrajusingh