Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

limit autocompleting names in private channels to those in the channel #2588

Closed
sinteur opened this issue Mar 22, 2016 · 45 comments
Closed

limit autocompleting names in private channels to those in the channel #2588

sinteur opened this issue Mar 22, 2016 · 45 comments

Comments

@sinteur
Copy link

sinteur commented Mar 22, 2016

When you're in a private channel and start to type @name... it attempts to autocomplete, but it will include names of people NOT in the channel. If you're using private channels for conversations with customers, this leaks info on other customers (or employees)

@geekgonecrazy
Copy link
Contributor

@sinteur I hadn't thought of this use case. Good one though. Also you can't invite on mention... so there really isn't a need to mention anyone outside the channel.

@engelgabriel
Copy link
Member

there is.. if you want to say: talk to @sampaiodiego
for example.

@sinteur
Copy link
Author

sinteur commented Mar 22, 2016

That's my point. It shouldn't. See use case I mentioned

@engelgabriel
Copy link
Member

I agree It should not leak (not send a alert to the person), but the autocomplete should still work.

@engelgabriel engelgabriel added this to the 0.25.0 milestone Mar 22, 2016
@sinteur
Copy link
Author

sinteur commented Mar 22, 2016

leaking is often unintended and not the the person mentioned, but to the other customers in the channel.

suppose I am talking to several bankers and I accidentally autocomplete @bankerjoker when I meant to autocomplete @bankerjones - where bankerjoker is a competitor and bankerjones who IS in the current channel should not know that.

@sampaiodiego
Copy link
Member

if a user have access to a private channel, he'll have access to any person on the chat.. am I wrong?

@sinteur
Copy link
Author

sinteur commented Mar 22, 2016

Again: auto complete makes me leak info about people who are NOT in the channel TO the people who ARE.

@sampaiodiego
Copy link
Member

but everyone in the channel can talk to anyone in the server. there is no such limitation.

@sinteur
Copy link
Author

sinteur commented Mar 22, 2016

How, if they don't know the other person is on the server? And if the CAN know, they shouldn't or RocketChat is unusable as a way to talk to customers

@engelgabriel
Copy link
Member

OK, this is a specific use case. We should create a special type of users, like "guests" that have much more limited permissions, so that they cannot mention anyone outside their channels.

@sinteur
Copy link
Author

sinteur commented Mar 22, 2016

It's not the guests who make the auto-complete error....

@engelgabriel
Copy link
Member

So you want a special setting on rooms so no member is allowed to mention non members?

@sinteur
Copy link
Author

sinteur commented Mar 22, 2016

Well - at least leave them out of the autocomplete - if that only works by forbidding the entire @name string, I will live with that. And even better if I can make that the default

@engelgabriel
Copy link
Member

We have discussed, and will work on that in the next week or two.

@mickeyclausen
Copy link

+1

@marceloschmidt marceloschmidt removed this from the 0.27.0 milestone Apr 18, 2016
@engelgabriel engelgabriel modified the milestones: 0.49.0, 0.48.0 Dec 14, 2016
@engelgabriel engelgabriel modified the milestones: 0.50.0, 0.49.0 Jan 4, 2017
@akachapati
Copy link

+1

1 similar comment
@andersonluciano
Copy link

+1

@engelgabriel engelgabriel modified the milestones: 0.50.0, Short-term Jan 24, 2017
@Jannibal
Copy link

+1

@MaksymRybak
Copy link

Yes, guys. It's very usefull also for our team.
Thank you very much.

@linksilver
Copy link

linksilver commented Feb 15, 2017

do you know when will it be released ? (approximatly)

@ryran
Copy link

ryran commented Apr 14, 2017

@engelgabriel said:

We will create 3 new permission:

  1. Can mention @ALL
  2. Can mention everyone in server
  3. Can mention only users in channel

You will be able to add/remove from the guest or default user role as you wish.

Would that cover all use cases?

IMHO, no. The current behavior makes no sense to me for private channels. Currently, I'm in a private channel with 4 users and only one of their names starts with jh. I type jh<Tab> and it auto-completes the name of someone else in our org ... what ... the heck.

@sinteur
Copy link
Author

sinteur commented Apr 14, 2017

You're looking at this from the user point of view. Look at it from a channel point of view. If you ONLY create these permissions, somebody with permission 2 can still accidentally leak info in a private channel. In a private channel 3 should be the default (and since @ALL means all in channel that would be allowed too) and in public channels somebody might have an extra privilege which would include 2

@ryran
Copy link

ryran commented Apr 19, 2017

If the 3rd option really is automatically applied for private channels, then yes, this would make things work more how I think most people would expect. However, one should not have to edit channel settings or user roles to achieve this.

@Ulrar
Copy link

Ulrar commented Jun 7, 2017

Same thing, there are 6 of us in a private channel, all our usernames starts with the same prefix (for the company name) and we just keep HL-ing people out of the channel for no reason.
The leaking use case is interesting but of no concern to us, as only our company has accounts anyways, our use case is purely just avoid HLing random people that have nothing to do with the current discussion and cannot even join the current channel.

I think it would make a lot more sense, at least in private channels, to only auto-complete on people who have access rights to join, or something like that.

@localguru
Copy link
Contributor

Is anything going on here?

@stevenhfotofix
Copy link

stevenhfotofix commented Jul 20, 2017

I have observed some pull requests for things similar to this - but nothing directly yet. We are still on 0.38.0 due to security concerns by not having this feature. Lots of unprivileged users (commission work) we don't want to get access to the name of everyone on the chat system - just direct message to our employees who manage them.

Really need this feature added!

@rzemykers
Copy link

+1

@gdelavald
Copy link
Contributor

This issue was solved by PR #7830 so I'll close the issue, if anyone has opinions or any problem with the implementation, please open a new issue.

@theorenck theorenck removed this from the Short-term milestone Apr 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.