REST API Access with admin Capabilities


#1

I am experimenting with the REST APIs in my installation, and I am encountering some drawbacks - not sure if they are as per design intent, or, whether there are some workarounds possible: When authenticated to the REST APIs using an administrator account, I see that some expected admin capabilities are not present - for example, the admin access is not able to get the room ID of a private group when the room name is known (using the groups.info API call). It works if the admin account is a member of the group.

Background:

I am trying to get the ‘Direct Reply’ e-mail feature to work in my installation. We use Microsoft Exchange Server for our e-mail, and it unfortunately does not directly support sub-addressing. Placing third-party DLLs to activate subaddressing is out of question in our installation, and I am trying to write my own script using the REST APIs to achieve this functionality.

My current version of the script is able to connect to our IMAP server using the same account that is used to send notification e-mails via SMTP to offline / away users. Since I have disabled ‘Direct Reply’ (due to absence of subaddressing support), any reply to the notification goes to the mailbox of the account accessed by my script.

After downloading the e-mails, I was planning to use the information from the sender’s email ID and the subject line to look up the appropriate group / channel / IM, and place the relevant e-mail contents in that conversation (using the admin account). I imagine that in the worst-case, I can ensure that the admin account is part of every private group and channel (by providing directives to users who create the private groups and channels to include the admin for enabling our custom ‘direct reply’ feature), but, I would prefer not to have to do that. In addition, this approach will not work for direct DMs between two user accounts since the admin is not a part of that conversation.

I can’t think of any real security implications in allowing the admin account to have this type of control over the installation. With admin privileges, it is possible to actually query the backend database and glean the required information and also perform some modifications - so I am not sure why getting conversation details / updating them using the APIs is not possible currently.

Is this approach of using an external e-mail processing script to enable ‘Direct Replies’ not advisable? Are there any alternatives to this, given the lack of subaddressing support in MS Exchange Server.