[Bug] "Add users" button is shown for users lacking the required permissions, discloses all existing users #9765
Description
Description:
We're trying to set up user accounts for our customers and other external partners that will provide them with only very limited access to our Rocket Chat instance. To be precise, the only permission we'd like to grant to these users is view-p-room, i.e. they can just see the channels we've invited them to, and nothing else.
Unfortunately, within a private group, the Add users button in the top-right corner is still accessible to these restricted user accounts. Any attempts to actually invite users to the group are being rejected (rightfully so), showing an empty error message popup, which looks a bit ugly, sure, but we could live with that. What's really unfortunate, however, is that the Invite Users input will disclose all existing Rocket Chat users simply by entering the letter a, which is definitely not something we want our customers to be able to see.
Server Setup Information:
- Version of Rocket.Chat Server: 0.61.0
Steps to Reproduce:
- Invite a user who has only been granted the
view-p-roompermission to a private group. - Log in as said user and, within the private group, click the Add users button from the top-right corner.
- Enter
ain the Invite Users input.
Expected behavior:
Users lacking the required permissions should not have access to the Add users button in the first place.
Actual behavior:
The entire list of Rocket Chat users is disclosed to our customers, including the names of all our other customers.