search

RocketChat / Rocket.Chat.ReactNative

Rocket.Chat mobile clients
https://rocket.chat
MIT License
1.94k stars 1.15k forks source link

Users that shouldn't be able to see DMs can #3572

Open JoeBloggs3 opened 2 years ago

JoeBloggs3 commented 2 years ago

Description:

User is assigned a role that is marked as not being able to view Direct Messages (for testing I assigned a new role that had NOTHING in the permissions screen ticked, and this was set as that user only having that role). As another user with the ability to create and view DMs, I sent a DM to this user. As expected, I couldn't see the DM if I was logged i via Firefox, but if I logged into the android app, I could and was able to reply. I should also note that via Firefox, I was also able to reply, but not see anything that was sent back to the no DM user. For clarity, this is the workflow:

1) JoeBloggs is created as admin. He has all admin access, including being able to create and send Direct Messages. 2) JoeBloggs creates NoDM user and sets their only role as a new NoDM role that has nothing set within the permission screen 3) NoDM user logs into the workspace on android (tried on both the RocketChat and RocketChat experimental for good measure) 4) JoeBloggs sends a Direct Message to the NoDM user. Notification is seen by the NoDM user and they can open the DM channel and reply.

Environment Information:

Steps to reproduce:

1) JoeBloggs is created as admin. He has all admin access, including being able to create and send Direct Messages. 2) JoeBloggs creates NoDM user and sets their only role as a new NoDM role that has nothing set within the permission screen 3) NoDM user logs into the workspace on android (tried on both the RocketChat and RocketChat experimental for good measure) 4) JoeBloggs sends a Direct Message to the NoDM user. Notification is seen by the NoDM user and they can open the DM channel and reply.

Expected behavior:

Direct Messages are NOT viewable by the NoDM user and certainly they shouldn't be able to reply!

Actual behavior:

Direct Messages ARE viewable by the NoDM user and they CAN reply.

Additional context:

TNF13 commented 2 years ago

I have seen this issue in our instance as well with iOS.

diegolmello commented 2 years ago

@JoeBloggs3 Thanks for reporting. Found this issue on the main repo https://github.com/RocketChat/Rocket.Chat/issues/20399 Are you able to reproduce this issue on web? Imo we should limit this direct message creation on backend rather than letting them get created and filtering out on clients.

JoeBloggs3 commented 2 years ago

@diegolmello If I try my workflow on the web I can see I have a message but I can't view it. Would agree with the viewpoint that the server should police the creation/sending out of messages rather than sending everything and then getting the client side to filter.