New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Restrict who is able to join a team #6943
Comments
Hi @Ppjet6 - I think we used to have this on the teams and some of the old code is still there. We moved it to be a server wide setting, so if we want to add it back for teams as well I think the things to think about would be the things you already mentioned:
Sounds like you're already discussing some of it with @jasonblais, so I think this would be a good one to work closely with him on to figure out what the behaviour should be. |
Is it reasonable to make it so if the global configuration exist, it is enforced and it works as it works now, but if the per-team alloweddomains setting exists, it overrides the global setting? |
Thanks, we can track via the PR so I'll close this off here for now. |
Summary
This is a feature request.
Anybody who gets an invite link to a team can join the team. That means a link could get leaked and anybody would be able to access that team.
For the context, we use Mattermost in combination with Phabricator as the oauthserver, so people already need an account on our Phabricator instance to be able to login. This also enables us to invite customers that already have access there to join the Mattermost instance. Any customer that has access to an invite link though, (however they get it), will be able to join a team even if they're not supposed to.
Steps to reproduce
On version 4.0
Expected behavior
The administrator or the team creator should be able to control who can join the team.
Observed behavior
Joining a team is not restricted.
Possible fixes
Apparently there is already an
AllowedDomains
property on the team model. I suppose this is what it was going to be used for, but I don't see much code for it. That could probably be used in app/team.go injoinUserToTeam
.I am not sure though what should be the behaviour wrt. the restrictCreationToDomains option.
Is there anything I should be aware of before implementing this? Any tips?
The text was updated successfully, but these errors were encountered: