Regular Team Users can see all other servermembers and can invite them to their team

Betriebsrat · March 12, 2019, 12:57pm

Summary

Different Teams can see all other Mattermost members via “Add new members to team” link. Even worse they can even add other teams members as regular user.

Steps to reproduce

Mattermost 5.8.
Create 2 different teams.
Create a few testaccounts on said teams.
Login with one Testuser.
Click Add members to team.
ALL Users are visible as non privileged user.
ALL User can be invited as non privileged user.

Expected behavior

Teams are meant to seperate Accounts.
A regular User should not have the privilege to see all other server members nor to invite them.

Observed behavior

ALL Users are visible as non privileged user.
ALL User can be invited as non privileged user.

amy.blais · March 12, 2019, 1:10pm

Hi @Betriebsrat,

If you want a team to be private, please go to Team Settings > Allow anyone to join this team > No.

More information about team settings is here: https://docs.mattermost.com/help/settings/team-settings.html.

There are additional team permissions settings in Enterprise Edition: https://docs.mattermost.com/deployment/advanced-permissions.html#team-override-scheme-e20.

Betriebsrat · March 12, 2019, 1:19pm

hi,
thank you but said setting is already set in my test env.
This does NOT prevent a regular user to invite anyone else.
The issue for me is already that teams see each other members, this should not be the case in my opinion, since they are on different teams for a reason.

amy.blais · March 12, 2019, 1:46pm

Hi @Betriebsrat,

Preventing regular users from inviting others to a team can be done with the Enterprise permissions settings.

I will ask our team about the issue of being able to see all members on a server when adding new members to a team, but I’m guessing this would be a “feature request” to change this behaviour.

Betriebsrat · March 12, 2019, 1:57pm

what is the point of teamadmins then for the team edition?
what is the point of creating teams in the first place then, when everybody can do everything basically.
pardon me but that feels like killing basic features to force people into enterprise.

amy.blais · March 12, 2019, 2:41pm

Hi @Betriebsrat,

Here is more information on the role of team admins: https://docs.mattermost.com/help/getting-started/managing-members.html#team-admin.

amy.blais · March 12, 2019, 2:51pm

Hi @Betriebsrat,

I asked our team and the behaviour with seeing all members is expected. Please share this idea on our feature request forum if you want this behaviour changed: https://mattermost.uservoice.com/forums/306457-general. Thank you for your feedback!

Boomacroom · March 6, 2020, 6:08pm

In the config.json file change any to team on the RestrictDirectMessage setting.

“RestrictDirectMessage”: “team”,

Then restart the server

Jacq · April 2, 2020, 1:17pm

That option is also configurable via the GUI and is related to direct messaging not Invite.
The old option for invite is “RestrictTeamInvite”, I say old because it was discontinued officially see here:

However this option is still in the config.json but I do not see effects in the server/clients when changing it.

By the way, related to direct messages, I see that even if you cannot initiate a message with another team member via the client GUI you can always use the direct link (if you know his @user) in: https:////messages/@user