Mattermost, Inc.

Is there a way to distinguish if a mattermost user is logged in from internal company network?

We are developing some slash commands to launch internal processes from mattermost.

The slash command api is really awesome!! And it works great.

But we would like to only allow users who are logged in to mattermost from the internal company network to be able to launch these slash commands.

In other words we want to reduce the chance that our mattermost server (which is available on the internet) can be attacked and launch these slash commands.

Are there any security measures we can take, to ensure users logged on to mattermost from outside the company network can NOT launch slash commands?

Hi @vikingsteve,

Glad to here you like slash commands!

Unfortunately we don’t have any way to distinguish between users logged in and sending requests from within a certain network or from outside it. You might be able to set up a load balancer to block certain API calls from any external IP address but I can’t guarantee that will work.

If you think this is something that would be useful in the product could I have your help creating a feature request?

Cheers

Actually what would be most useful is to use the REST api on the mattermost server to query the logged in users and get their details, user_id, real name and ip address.

Then I could do some checking on the ip address. In slack this rest api call is named accessLogs (teams.accessLogs I think).

Does mattermost API offer the same, and can you point me to the docs for it?

Sorry for the late response, take a look inside api/admin.go at the route for /audits. That might be what you’re looking for.