feat: do not allow non-members to modify member list #6436
Conversation
|
Best reviewed with "hide whitespace" on. |
|
In #6401 you wrote:
Is there any plan of fixing this? Maybe add such messages as "partially downloaded" (but with some explanation)? This way they are hidden because may be malicious and also when the user downloads such a message later and the sender is already a member, it should be shown correctly. The downside is that the message is downloaded twice, but that shouldn't happen frequently. |
|
Need to test what actually happens when someone tries to add self to verified group before this PR. They should not be able to "introduce self". If they can, that's a bug, and if they cannot, then there is an error in case of reordering anyway. EDIT: we already have |
link2xt
force-pushed
the
link2xt/non-member-member-list
branch
from
f7619b9 to
3e7b662
Compare
This issue was ignored for the initial implementation of #6401 but it seems it does not hurt to ignore membership changes from non-members. It's still better to create a new group if you want someone removed to be unable to get back into the group or write into it, but this change also provides sufficient protection most of the time without breaking existing tests.