We're Hiring!

Mattermost, Inc.

Users able to join private channel using URL

What is happening :-

If a user pastes the URL of a private channel in a public channel in the team, any user who is not a member of private channel is able to click on the link and join that private channel.

Expected :-

The same channel should Ideally open with a message that you are not allowed access to the channel.

Is this the behaviour I’m observing standard behaviour? If so, is there some way I can change it?

Thanks.

@ahmaddanial could you perhaps provide further insight or escalate this? It seems to me, based on just the information in the original message, and the prior experience I have with situations such as this, that there is an instance of improper access control (which, for what it’s worth, can be taken as a security bug as well) due to the fact that it would seem that there is no validation of the logged-in user’s permission to access a given channel.

If this is the case, I would suggest a JSON array of some form, or something like that, of all channel IDs that a given user is allowed to access, and when switching channels, the comparison of the channel ID that the user is attempting to navigate to, against the list of permitted channel ID’s. The result would be a True/False statement, True meaning yes the user can access, False indicating permission denied, etc.

Thanks!

1 Like

@XxLilBoPeepsxX I will have to dig deeper into this before I go escalate this to the team internally.

@sahil7 A couple of questions from my side:

  • Can you confirm specifically which version of Mattermost Server are you running on?

  • Also, can you confirm if you are using AD/LDAP to manage channel membership here?

  • If you are on enterprise license, can you confirm how does the channel management section for a sample channel that is affected by this issue?

Just to make sure that I am covering all the possible aspects of this behavior. Keep me posted.

1 Like

I’m personally a bit curious about this one, so I am going to see if I can spin up a new instance to test against if I can get the time soon to do so.