You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have jobs where the namespace is marked as "restricted"; this currently means that they can't be invoked by guest users (users who have the "is_restricted" attribute when we fetch them from the slack API). We added this mostly to ensure that guest users can't run op
commands that run on OP, but we now have some commands that could fetch more sensitive info (project boards, workflows).
While a guest user can't invoke restricted commands directly, they could setup a reminder to have Slackbot invoke those commands on their behalf.
Options:
don't allow reminders to invoke restricted commands
add a list of allowed channels for each restricted command to the job config
add an exclusion list of channels to settings for channels where restricted jobs cannot run
would prevent us from running scheduled jobs that we currently user reminders for (e.g. tech support rota). If we wanted to do this, we'd probably also want to add a way of scheduling regular repeated jobs in BennettBot.
I think 2) is better - an explicit exclusion list (3) means that if we add a new channel for guests, we'd need to remember to add it to this list.
Restricted commands probably have a limited set of channels that they're likely to be called from, and as long as BB tells you when you try to invoke it in a not-allowed channel, this shouldn't be a problem.
We can also define a set of always-allowed channels: general, tech-support-channel, tech-noise, tech etc.
DMs with the bot should be allowed too, depending on user status
The text was updated successfully, but these errors were encountered:
We have jobs where the namespace is marked as "restricted"; this currently means that they can't be invoked by guest users (users who have the "is_restricted" attribute when we fetch them from the slack API). We added this mostly to ensure that guest users can't run
opcommands that run on OP, but we now have some commands that could fetch more sensitive info (project boards, workflows).
While a guest user can't invoke restricted commands directly, they could setup a reminder to have Slackbot invoke those commands on their behalf.
Options:
don't allow reminders to invoke restricted commands
add a list of allowed channels for each restricted command to the job config
add an exclusion list of channels to settings for channels where restricted jobs cannot run
would prevent us from running scheduled jobs that we currently user reminders for (e.g. tech support rota). If we wanted to do this, we'd probably also want to add a way of scheduling regular repeated jobs in BennettBot.
I think 2) is better - an explicit exclusion list (3) means that if we add a new channel for guests, we'd need to remember to add it to this list.
Restricted commands probably have a limited set of channels that they're likely to be called from, and as long as BB tells you when you try to invoke it in a not-allowed channel, this shouldn't be a problem.
We can also define a set of always-allowed channels: general, tech-support-channel, tech-noise, tech etc.
DMs with the bot should be allowed too, depending on user status
The text was updated successfully, but these errors were encountered: