Rocket.chat: limit autocompleting names in private channels to those in the channel

@sinteur I hadn't thought of this use case. Good one though. Also you can't invite on mention... so there really isn't a need to mention anyone outside the channel.

there is.. if you want to say: talk to @sampaiodiego
for example.

That's my point. It shouldn't. See use case I mentioned

I agree It should not leak (not send a alert to the person), but the autocomplete should still work.

leaking is often unintended and not the the person mentioned, but to the other customers in the channel.

suppose I am talking to several bankers and I accidentally autocomplete @bankerjoker when I meant to autocomplete @bankerjones - where bankerjoker is a competitor and bankerjones who IS in the current channel should not know that.

if a user have access to a private channel, he'll have access to any person on the chat.. am I wrong?

Again: auto complete makes me leak info about people who are NOT in the channel TO the people who ARE.

but everyone in the channel can talk to anyone in the server. there is no such limitation.

How, if they don't know the other person is on the server? And if the CAN know, they shouldn't or RocketChat is unusable as a way to talk to customers

OK, this is a specific use case. We should create a special type of users, like "guests" that have much more limited permissions, so that they cannot mention anyone outside their channels.

It's not the guests who make the auto-complete error....

So you want a special setting on rooms so no member is allowed to mention non members?

Well - at least leave them out of the autocomplete - if that only works by forbidding the entire @name string, I will live with that. And even better if I can make that the default

We have discussed, and will work on that in the next week or two.

+1

+1

+1

+1, this should reflect for Direct Messages as well, it is the only thing holding us back from launching a large number of "guest" users on our system (freelance workers who can only respond to Direct Messages, not being able to initiate any, or join any channel) - but right now, even in a direct message chat, they get access to everyone's name using the @ list.

@stevenhfotofix consider maybe using the guest role for these users? I think this would lock them down to not be able to see any user not in the channel.

I keep staring at screens and not seeing it. Where do I assign roles to a user?

@sinteur its not the most obvious unfortunately. So during user creation there is an option to select the role. Otherwise goto the permissions, select the little edit icon next to the guest user:

Then add the user here. You'll need to remove the user role if they have that role also.

This will lock users to the channel / direct message they were invited to, and they shouldn't be able to list other users.

Ah. That's indeed not obvious. And since our clients self register, that's quite a headache

Could somebody fix this please?? This is a major security hole...

@geekgonecrazy They are on the guest role already, but last I checked, it did not limit them at all. I mentioned that on my comment by calling them "guest" members. I will update to the latest version and verify though.

This is still an issue in 0.38.0 - Yahoo messenger shut down today, and we are hoping to migrate a large number of users to our rocket chat install - but we can't, because they will have access to names we don't want them to use. Please take a look at this again.

To demonstrate, I've created a new user with only the guest role, verified in the database that this is indeed the only role, invited it to a private channel, and it can auto-complete names not in the channel. See screenshots.

+1

+1 again

So we FINALLY will start the work on this one.

We will create 3 new permission:

1. Can mention @all
2. Can mention everyone in server
3. Can mention only users in channel

You will be able to add/remove from the guest or default user role as you wish.

Would that cover all use cases?

Those would work for us, for sure! Very excited and grateful!!

yeah it will be nice ! thanks !

+1

+1

+1

+1

Yes, guys. It's very usefull also for our team.
Thank you very much.

do you know when will it be released ? (approximatly)

@engelgabriel said:

We will create 3 new permission:

1. Can mention @all
2. Can mention everyone in server
3. Can mention only users in channel

You will be able to add/remove from the guest or default user role as you wish.

Would that cover all use cases?

IMHO, no. The current behavior makes no sense to me for private channels. Currently, I'm in a private channel with 4 users and only one of their names starts with jh. I type jh<Tab> and it auto-completes the name of someone else in our org ... what ... the heck.

You're looking at this from the user point of view. Look at it from a channel point of view. If you ONLY create these permissions, somebody with permission 2 can still accidentally leak info in a private channel. In a private channel 3 should be the default (and since @all means all in channel that would be allowed too) and in public channels somebody might have an extra privilege which would include 2

If the 3rd option really is automatically applied for private channels, then yes, this would make things work more how I think most people would expect. However, one should not have to edit channel settings or user roles to achieve this.

Same thing, there are 6 of us in a private channel, all our usernames starts with the same prefix (for the company name) and we just keep HL-ing people out of the channel for no reason.
The leaking use case is interesting but of no concern to us, as only our company has accounts anyways, our use case is purely just avoid HLing random people that have nothing to do with the current discussion and cannot even join the current channel.

I think it would make a lot more sense, at least in private channels, to only auto-complete on people who have access rights to join, or something like that.

Is anything going on here?

I have observed some pull requests for things similar to this - but nothing directly yet. We are still on 0.38.0 due to security concerns by not having this feature. Lots of unprivileged users (commission work) we don't want to get access to the name of everyone on the chat system - just direct message to our employees who manage them.

Really need this feature added!

+1

This issue was solved by PR #7830 so I'll close the issue, if anyone has opinions or any problem with the implementation, please open a new issue.