Permissions to Read?

[wwb]

I'm not sure this is an "issue" from a code perspective but I wanted to ask about the permissions the plugin asked for when I wanted to install it. I could get why the app would need some read permissions to get channel and chat names but I'm not sure why it needs to be able to read all my data for every channel?

[joshfarrant]

The reason #Clicky requests all permissions upfront is simply because there was no way to request more granular permissions from Slack when #Clicky was first built; it was essentially all-or-nothing.

I only realised today that it was now possible to request more granular permissions with Slack (funnily enough I received an email on this topic a few hours ago) so it's definitely something that I hope to resolve soon.

I've not had chance to look into this in detail yet, however I do plan to do so this week. Hopefully I'll be able to bring those permission requests down to a more sensible level without compromising functionality.

Thanks for taking the time to let me know about this - I appreciate that no-one wants to be unnecessarily granting sweeping permissions giving full access to their organization's Slack team to an unknown Chrome Extension in the first place, especially if it's not clear why these permissions are required!

[joshfarrant]

Looking at the docs it looks like they've really opened it up so you can request the exact permissions the app needs, which it great!

A quick glance suggests the following scopes will be required to maintain current functionality:

• client - Required for starting a Real Time Messaging (WebSockets) session, posting messages
• team:read - Used to retrieve basic team info
• users:read - Used to retrieve basic user info
• channels:write - Used to set messages to 'read' when clicking on the link in the notification
• groups:write - Used to set messages to 'read' when clicking on the link in the notification
• im:write - Used to set messages to 'read' when clicking on the link in the notification
• mpim:write - Used to set messages to 'read' when clicking on the link in the notification

It would be a shame to lose functionality, but the write scope could be removed for channels, groups, IMs, and MPIMs as it is granting a wide range of permissions for a relatively small piece of functionality (marking clicked messages as read).

[joshfarrant]

It turns out this should be fairly straightforward, however it appears that it's not something I can do right away as #Clicky users Slack's RTM API, which isn't yet supported with their new OAuth scopes.

Until this is supported this will, unfortunately, need to be put on hold.

[joshfarrant]

Confirmed this with Slack's support, not possible to change this at the moment unfortunately.

[wwb]

Wow, thanks for the snappy response and for taking a look -- hopefully they can get this addressed soon by Slack.

Keep up the good work! At least with your app I can go and do a bit of a code review to make sure you aren't sending my snarky slacks to the world :+1:

[joshfarrant]

No problem, I'm grateful you brought it up! :smile_cat:

I hate having to ask for permissions that #Clicky doesn't need just as much (if not more) than people hate granting them, so I plan to keep on top of this and get this fixed as soon as Slack make it possible.

Please do look through the code - I want to be as open and transparent as possible with this, of course no-one wants to worry about the security of their private communication.

Clicky does one simple job and that's it, no funny business!

[asgerhallas]

Hi, any news on this? :)

[joshfarrant]

I've been checking on this periodically, but still no change from Slack's side.

To connect to the stream we need to use the rtm.start method, which still requires the special auth scope of client. This scope is is a sledgehammer which gives total access to everything, and there's no way of negotiating specific permissions when using it.

It's frustrating, but in all honesty I'm not expecting Slack to change this any time in the future.

[joshfarrant]

Still no change on this whatsoever...

Come on Slack pull your fingers out

[joshfarrant]

If you're coming to this issue hoping for this issue to be resolved, then I'd suggest getting in touch with Slack directly and sending them a link to this issue asking when the feature will be added.

Short of that I'm not sure anything's actually going to change sadly.

[DirkLachowski]

Just out of curiosity: Why do you need rtm to post a link to a slack channel? Most slack apps i'm using are requesting minimal scopes and are still happily posting to a channel.

[joshfarrant]

For the core functionality, we could manage by just using the REST API to fetch a list of all channels, users, and post messages, that's true.

The stream was initially implemented to allow #Clicky to show a notification when you receive a message containing a link in Slack. When initiating the stream, Slack gives us a list of all the data we need (channels, users, etc.), so we don't bother to fetch the data from anywhere else.

I suppose that we could instead use the REST API for core functionality, then only request stream permissions when the user enables notifications. I'm open to PRs on this, but realistically it's not something I plan to implement myself as it's not a priority. On 26 May 2018, 14:09 +0100, Dirk Lachowski notifications@github.com, wrote:

Just out of curiosity: Why do you need rtm to post a link to a slack channel? Most slack apps i'm using are requesting minimal scopes and are still happily posting to a channel. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.