Non-hosts can access the host UI via console commands

[ckingdev]

Opening the console in a room and executing Heim.chat.store.state.isManager = true changes the ui to that of a host. The user can now view the IDs of users in the room. Attempting to PM someone results in the room crashing. (see report d5d1b0c9eba24ef4861c9a61c45be3a9)

[jedevc]

As for seeing the user ID's, that's always been possible using a bot or even just inspecting the packets going through the websocket.

The crashing could probably be fixed though...

[ckingdev]

IMO it's more important for future development. It makes it much easier to have bugs wrt authentication if a user can already see the host UI.

[CylonicRaider]

Au contraire, authentication checks ought to be independent of visibility checks. Making the host UI available (in a hidden way) can serve as a vehicle for testing instead.