Mattermost, Inc.

Regular Team Users can see all other servermembers and can invite them to their team

#1

Summary

Different Teams can see all other Mattermost members via “Add new members to team” link. Even worse they can even add other teams members as regular user.

Steps to reproduce

Mattermost 5.8.
Create 2 different teams.
Create a few testaccounts on said teams.
Login with one Testuser.
Click Add members to team.
ALL Users are visible as non privileged user.
ALL User can be invited as non privileged user.

Expected behavior

Teams are meant to seperate Accounts.
A regular User should not have the privilege to see all other server members nor to invite them.

Observed behavior

ALL Users are visible as non privileged user.
ALL User can be invited as non privileged user.

#2

Hi @Betriebsrat,

If you want a team to be private, please go to Team Settings > Allow anyone to join this team > No.

More information about team settings is here: https://docs.mattermost.com/help/settings/team-settings.html.

There are additional team permissions settings in Enterprise Edition: https://docs.mattermost.com/deployment/advanced-permissions.html#team-override-scheme-e20.

#3

hi,
thank you but said setting is already set in my test env.
This does NOT prevent a regular user to invite anyone else.
The issue for me is already that teams see each other members, this should not be the case in my opinion, since they are on different teams for a reason.

#4

Hi @Betriebsrat,

Preventing regular users from inviting others to a team can be done with the Enterprise permissions settings.

I will ask our team about the issue of being able to see all members on a server when adding new members to a team, but I’m guessing this would be a “feature request” to change this behaviour.

#5

what is the point of teamadmins then for the team edition?
what is the point of creating teams in the first place then, when everybody can do everything basically.
pardon me but that feels like killing basic features to force people into enterprise.

#6

Hi @Betriebsrat,

Here is more information on the role of team admins: https://docs.mattermost.com/help/getting-started/managing-members.html#team-admin.

#7

Hi @Betriebsrat,

I asked our team and the behaviour with seeing all members is expected. Please share this idea on our feature request forum if you want this behaviour changed: https://mattermost.uservoice.com/forums/306457-general. Thank you for your feedback!