DoubleBastionAdmin / sms-relentless

3 stars 1 forks source link

All numbers linked to the Telnyx account are displayed #4

Closed SolutionsKrezus closed 1 year ago

SolutionsKrezus commented 1 year ago

Hello, I configured the module with Telnyx and all the numbers linked to my account are displayed in nextcloud. For security reasons and to simplify administration, it would be great if the module only retrieved the numbers linked to the Telnyx messaging profile ID instead of the whole account, using this part of the API for example:

https://developers.telnyx.com/openapi/messaging/tag/Messaging-Profiles/#tag/Messaging-Profiles/operation/listMessagingProfilePhoneNumbers

Thanks for your consideration and this wonderful module.

DoubleBastionAdmin commented 1 year ago

The fact that the application lists all the phone numbers associated with the API keys of the Telnyx account is normal, since every admin user should see a list with all his Telnyx numbers, to be able to decide what number he will use as a Sender ID. If an admin wants to share his phone numbers with a non-admin user, he can enter the name of the non-admin user, or the group to which the non-admin user belongs, in the 'Users Allowed' or 'Groups Allowed' boxes, in the Telnyx section, on the admin settings page of the app. In this way, the non-admin user will see all the phone numbers associated with the API keys that were shared with him. Then, to allow the non-admin user to see and use only specific phone numbers, the admin can restrict access to those phone numbers to that user, under "Restrict access to the following phone numbers:", on the admin settings page. If a shared phone number is restricted to a certain non-admin user, that user will be able to see and use only that number.

The fact that an admin sees all the numbers associated with his API keys is a necessity and doesn't diminish security. The only purpose of saving a Messaging Profile ID on the settings page is that Telnyx doesn't allow sending SMS messages with alphanumeric Sender IDs without mentioning a Messaging Profile ID. So, the Messaging Profile ID is actually used by the application only when the user sends an SMS message using an alphanumeric sequence (like Global Inc) as Sender ID instead of a phone number.