Inconsistent permission API/WebClient #7144
Comments
|
This means the permission check is only client side and not server side. Which means this effects not only the rest api but also the real time api. |
|
@Jasobeczek Let me know what you think of #7212, I believe it fixes the incorrect permissions. |
|
Yes, @graywolf336 your fixes are one way of correcting this bug. Thanks!. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rocket.Chat Version: 0.56.0-rc.6
Running Instances: 1
DB Replicaset OpLog:Disabled
Node Version:v4.5.0
I created a permission role with only one permission called external_user:
view-joined-room: true
In web version of RocketChat user cannot search for any user or public channel which is desired action. But in API this doesn't work at all.
If I authorize as a test.user with those external_user permissions only I'm able to list channels and users using those requests:
/api/v1/users.list/api/v1/channels.listWhich in my opinion is a bug.
Expected behavior:
If user cannot see channels in web version he or she should not be able to look up them by API.
The text was updated successfully, but these errors were encountered: