Different Teams can see all other Mattermost members via “Add new members to team” link. Even worse they can even add other teams members as regular user.
Steps to reproduce
Mattermost 5.8.
Create 2 different teams.
Create a few testaccounts on said teams.
Login with one Testuser.
Click Add members to team.
ALL Users are visible as non privileged user.
ALL User can be invited as non privileged user.
Expected behavior
Teams are meant to seperate Accounts.
A regular User should not have the privilege to see all other server members nor to invite them.
Observed behavior
ALL Users are visible as non privileged user.
ALL User can be invited as non privileged user.
hi,
thank you but said setting is already set in my test env.
This does NOT prevent a regular user to invite anyone else.
The issue for me is already that teams see each other members, this should not be the case in my opinion, since they are on different teams for a reason.
Preventing regular users from inviting others to a team can be done with the Enterprise permissions settings.
I will ask our team about the issue of being able to see all members on a server when adding new members to a team, but I’m guessing this would be a “feature request” to change this behaviour.
what is the point of teamadmins then for the team edition?
what is the point of creating teams in the first place then, when everybody can do everything basically.
pardon me but that feels like killing basic features to force people into enterprise.
I asked our team and the behaviour with seeing all members is expected. Please share this idea on our feature request forum if you want this behaviour changed: https://mattermost.uservoice.com/forums/306457-general. Thank you for your feedback!
That option is also configurable via the GUI and is related to direct messaging not Invite.
The old option for invite is “RestrictTeamInvite”, I say old because it was discontinued officially see here:
However this option is still in the config.json but I do not see effects in the server/clients when changing it.
By the way, related to direct messages, I see that even if you cannot initiate a message with another team member via the client GUI you can always use the direct link (if you know his @user) in: https:////messages/@user
I am OK that regular users can invite others by email. However, I do not want users to see other users on other teams if they dont share a team. Currently when pressing “Invite members” and I start writing, I can see all people on the server (on other teams) with their names. I thought the Team / Workspace would be more isolated. This behaviour feels as if there is user information leakage.
If you need that much separation between users and want to prevent any information leakage, the best way to do that is with multiple Mattermost instances.