Rocket.Chat's Community Open Call 🎤 Jan 19th, 2022 Join us!

Major Bug or by design?

Hello Community. I am checking out RocketChat for the first time. I’m trying to decide between RocketChat and Mattermost. While poking around and getting familiar with RocketChat, I may have found a major bug. Please advise.

Description

Normal user with only user permissions is allowed to create a Private Team without Administrator able to discover, view, join, or maintain!

Server Setup Information

  • Version of Rocket.Chat Server: 4.2.2
  • Operating System: Ubuntu 20.04.3
  • Deployment Method: manual
  • Number of Running Instances: 1
  • DB Replicaset Oplog: 4.4.10 / wiredTiger (oplog Enabled)
  • NodeJS Version: v12.22.8
  • MongoDB Version: 4.4.10 / wiredTiger (oplog Enabled)
  • Proxy: apache
  • Firewalls involved:

Any additional Information

  • Newly installed RocketChat server.
  • Permissions settings: create-team user is set as default.

How to Recreate

This assumes that permissions for user has create-team (in my instance, this was default to true after install)

  1. Create a normal user.
  2. Login as user.
  3. Click Create New button, select Team.
  4. Choose to make Team private. Do not add Admin user to Team.
  5. Logout of normal user and login with user with Admin privilege.
  6. User created Team…
    • does not show up in Teams list for Admin.
    • is not discoverable.
    • does not show up in the Administration console under #Rooms section.

This flaw appears to be able to allow a normal user to take over a server with Private Teams, Channels, Rooms, etc… without oversight and knowledge that these channels exists by an Administrator.

Thanks all.

Hi! Welcome to our forums!!

Hope you choose Rocket.Chat :wink:

I believe this is by design.

We have a very powerful and robust permissions system (Admin > Permissions), and once a regular user has the create-team and create private channel permissions, they can do it.

You can avoid this by setting permissions accordingly.

By the default, a regular user can both create teams and private channels.

The idea is to be very flexible and be able to support different scenarios, including when users can create their teams and private channels as they wish.

Let me know if you have any other doubts and feel free to ping me on our open server:

Happy new year!! :champagne:

Thanks for the feedback. I wonder if having this as a default setting is wise. I can see this catching Admins off guard. Users come and go, as an Admin, how would I know to clean, audit, archive, maintain my server if I don’t even know teams and channels of former users exist? Is there a way for Admins to auto-join created teams/channels?

I love the flexibility though. Playing around with the permissions settings allows me to work around this. I do appreciate the flexibility (unlike Mattermost). Looking forward to learning more about Rocket.Chat.

Thanks again and Happy new year!

As an admin, you can go to:

Admin > Rooms

find the private room created by a user. You can delete it.
Or you can disable the private property. And then just join it :sunglasses:

AFAIK, there is no builtin way to auto add admins in into newly created private channels.

However, with the flexibility Rocket.Chat provides, you can easily create some scripts to accomplish that :slight_smile:

bear in mind that conversations with E2E enabled, not even the admin will be able to read it. For better or for worse :slight_smile:

Hmmm…This is why I thought it was a bug. I am unable to discover User’s private channels. They do not show up in the Rooms Admin.

You may be right on this one.

I just tested the rooms list UI, and something is broken there at the filtering feature. I can see, for example, that the teams came from the API, but it’s not showing on the list:

I’ll do some more tests, and check if there isn’t already an open issues or PR at our github for that.

FWIW, we have been changing a lot of the UI components recently to React, and some UI issues are expected and is being fixed really fast.

1 Like

Any updates? Did you find an outstanding issue on this? Any work-arounds other than disabling Team/Channel creation for Users? Thanks again for your attention!

Hi!

I think we are talking about different things :slight_smile:
There was a bug for filtering rooms in admin > rooms.

This is now fixed on latest 4.3.1 already:

Now you can filter and edit rooms, teams, and others.

But I think this will fix your issue.

You can let users create teams, and inspect if they are creating at the Admin > Rooms UI.

Or you can deny them this permission in Admin > Permissions.

Thanks!!

1 Like

The latest 4.3.1 has fixed the Issue as described in the thread. An Admin account can now see all Private Teams and Channels created by regular User accounts while in the Administration page (console).

I’d like to give my appreciation to all Rocket.Chat devs and contributors who work to bring us this awesome app. Thanks a ton!

As a side note, is there a link or a place we can go to donate to the project?

2 Likes

Thank you a lot! We really appreciate it!

Hopefully this will get a closure to your platform evaluation and decision :wink:

You can sponsor our project here: Sponsor @RocketChat on GitHub Sponsors · GitHub

Thank you again!!