Webhooks for Private Channels


#1

Our mattermost instance locks “integration” creation and configuration to Team Admins. Team admins are a dedicated team in our department. When groups of users want a webhook for an integration to interact with this channel, the team admins review the request and then create one for them, giving them the webhook url.

We’ve run into an issue with teams that want incoming webhooks to private channels. In order for the admin to create the webhook, they must first be invited to the channel. Once created the webhook will continue to function as long as the admin stays in the channel. If the admin leaves the channel, the webhook will stop functioning. It would appear this is intended: https://github.com/mattermost/mattermost-server/blob/ae891321ad2e4b07e4f77b252379cb998607c687/app/webhook.go#L660-L662

// app/webhook.go#L660-L662

if channel.Type != model.CHANNEL_OPEN && !a.HasPermissionToChannel(hook.UserId, channel.Id, model.PERMISSION_READ_CHANNEL) {
	return model.NewAppError("HandleIncomingWebhook", "web.incoming_webhook.permissions.app_error", nil, "", http.StatusForbidden)
}

This also has the problem of people leaving the company. If a team admin who created 100 webhook integrations during their employment term leaves the company, all of these webhooks would stop functioning as soon as we disable their account during the separation process.

I propose the following: Scope webhooks to channels instead of to users. In addition to (or perhaps replacing) team-wide webhooks, Channel Admins should be able to manage integrations for their channels. I believe this would alleviate the issues we are experiencing and I think many would find this useful. Is there an existing workaround for this that I’ve overlooked? Should I make this into a full-blown feature request?