docs: Update bots security model. #8117
Comments
|
Hello @zulip/server-api members, this issue was labeled with the area: documentation (api and integrations) label, so you may want to check it out! |
|
@rishig is this resolved? |
|
It's not. The current model seems kind of broken though; e.g. outgoing webhooks can see all public stream messages, but can't see private stream messages even if they are subscribed? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This section should be updated to clarify what the various kinds of bots can and can't do, and e.g. make it clear that a bot created by a user cannot do anything that the user cannot:
https://zulip.readthedocs.io/en/latest/production/security-model.html#users-and-bots
We'll also eventually want a /help doc about this once #7908 is complete, but that can be followup.
@showell fyi. We found out an admin of a realm forbade all bots out of confusion over this point (they suspected the bots might be allowing people to gather private information they otherwise didn't have access to).
The text was updated successfully, but these errors were encountered: