Status: 99%
OVERVIEW
This specification outlines how to achieve the “channel moderation” feature in Mattermost. Channel moderation provides system administrators with toggles to disable members and/or guests of a given channel from performing the following:
creating posts
adding and removing members
using channel mentions
GOALS
Describe the backend architecture and required changes.
Describe the webapp changes.
Describe the mobile app changes.
SCOPE
In:
exposing channel moderation in the system console in the channel details view
updates to the UI (webapp and mobile) to apply the
create_postpermissioncreating the new
use_channel_mentionspermissionupdates to the UI (webapp and mobile) to apply the new
use_channel_mentionspermission
Out:
CLI changes
chat-facing administration of channel moderation settings
plugin changes
feature tracking (in scope for the feature but not covered by this document, see https://mattermost.atlassian.net/browse/MM-22153 for the specification)
exposing
create_postanduse_channel_mentionsin the system and team schemes UI
BACKGROUND READING
TERMINOLOGY
“channel moderation”: although this term is used throughout this document it may not end up being the customer-facing terminology as some find it confusing compared to an alternative that describes that permissions are being overridden.
“higher-scoped scheme”: the system scheme or team scheme from which the channel derives all of its permissions in the absence of a channel scheme. This is a newly necessary term/concept because previously there was no ongoing inheritance-style relationship between schemes.
“channel mentions”: the at-mentions “@all”, “@here”, and “@channel”.
“channel scheme”: a
Schemesrecord with aTypevalue ofchannel. It overrides the permissions for given channels much like a team scheme overrides the permissions for a given team.“moderated permissions”: permissions listed in the document overview that may be restricted on the channel level.
SPECIFICATIONS
High-level Architecture
The channel moderation feature leverages the existing permissions system to create a channel scheme for each channel for which moderation is enabled. Channel moderation is considered enabled if the channel has been configured to have any of the moderated permissions be more restrictive at the channel level than is configured on the channel’s higher-scoped scheme.
The channel scheme causes permissions to be overridden and configurable for the channel. More technically, a record is created in the Schemes table with a Scope value channel. Three new Roles records are also created and their Name values used to set the new Schemes record’s DefaultChannelAdminRole, DefaultChannelUserRole, and DefaultChannelGuestRoles. The new Roles records initially copy their Permissions value from the higher-scoped scheme’s associated Roles records.
Guest and member Roles records' moderated permissions are then removed from the Permissions fields to further limit the permissions of the specific channel associated to the channel scheme.
If none of the moderated permissions are more restrictive than the higher-scoped scheme then the channel’s associated Schemes record is deleted and the channel members and guests automatically revert to using the permissions as configured on the higher-scoped scheme.
Bots continue to function the same as usual, namely bots can be configured to use either the member or system admin. If a bot is configured to be a member the bot could have its touse_channel_mentions and create_post permissions restricted on specific channels. However, to lose the create_post permission the bot would also have to have post:all and post:channels disabled.
Relationship between a channel scheme and its higher-scoped scheme
Per the permissions system design, a channel scheme completely overrides all channel-scoped permissions on the associated channel(s). This means that if there are permissions that are not exposed by channel moderation, admins will expect those permissions to be configured as per the higher-scoped scheme—lest permissions be overridden behind the scenes on the channel scheme without the knowledge of admins.
For example, say the higher-scoped scheme removes the “Archive Channels” permission (technically the delete_public_channel and delete_private_channel permissions). That permission is not configurable on the channel scheme given the current UI, so the system admin would not expect that permission to remain present for all channel that have moderation enabled, in spite of the fact that the permissions architecture would leave it present on the channel scheme by default. So we must have code that removes that permission from the channel scheme for all affected channels.
If a channel has a scheme, the set of moderated permissions on that channel scheme will completely override the permission of the higher scoped scheme. However, non-moderated permissions will be ignored on the channel scheme and instead be read from the higher-scoped scheme.
Permissions
New permission:
use_channel_mentions
Guest role permissions modified by channel moderation:
add_reaction/remove_reactioncreate_postuse_channel_mentions
Member role permissions modified by channel moderation:
add_reaction/remove_reactioncreate_postmanage_public_channel_members/manage_private_channel_membersuse_channel_mentions
Guest, member, and channel admin role channel-scoped permissions that must be replicated to the channel scheme roles from the higher-scoped scheme:
create_post_publiccreate_post_ephemeraldelete_post/delete_others_posts (exposed in schemes UI)edit_post/edit_others_posts (exposed in schemes UI)manage_channel_rolesmanage_public_channel_properties/manage_private_channel_properties (exposed in schemes UI)delete_public_channel/delete_private_channel (exposed in schemes UI)read_channelremove_others_reactionsupload_file
Schema
No schema changes.
REST API
A new endpoint to get the channel moderation matrix. For example, to display the matrix as shown in the configuration from the high-fidelity mockups, the API endpoint
GET /api/v4/channels/:channel_id/moderationsreturns the following:
[{
"name": "create_post",
"roles": {
"guests": {
"value": false,
"enabled": true
},
"members": {
"value": false,
"enabled": true
}
}
},
{
"name": "add_reaction",
"roles": {
"guests": {
"value": false,
"enabled": false
},
"members": {
"value": true,
"enabled": true
}
}
},
{
"name": "remove_reaction",
"roles": {
"guests": {
"value": false,
"enabled": false
},
"members": {
"value": true,
"enabled": true
}
}
},
{
"name": "manage_public_channel_members",
"roles": {
"members": {
"value": true,
"enabled": true
}
}
},
{
"name": "use_channel_mentions",
"roles": {
"guests": {
"value": false,
"enabled": true
},
"members": {
"value": true,
"enabled": true
}
}
}
]
A new endpoint to update the channel moderation configuration. For example, to re-add the ability for only members to create posts the API endpoint
PATCH /api/v4/channels/:channel_id/moderationswould receive:
[{
"name": "create_post",
"roles": {
"members": true
}
}]
Update the create post flow (for example in mattermost-server/app/notifications.go) to restrict access to channel mention notifications to those with the
use_channel_mentionspermission.Update the
PUT /api/v4/schemes/:scheme_id/patchendpoint to validate that the requested permission change is permitted if it is attempted against a role that is used by a channel-scoped scheme. The role can only be less permissive than the permissions on the higher-scoped scheme.
CLI
Out of scope.
Configuration
None.
Webapp only
A new “Channel Moderation” widget containing the matrix of permissions, roles, and checkboxes in the Channel Configuration details view in the system console (as seen in the design specification).
Mobile and Webapp
Prevent posting based on the
create_postpermissions.Preventing access to channel mentions based on the
use_channel_mentionspermission.
Performance
There may be a performance degradation when querying the presence of non-moderated, channel-scoped permissions.
Plugins
Out of scope.
CREDITS
Thanks to Catalin, Dennis, George, Scott, Hossein, and Farhan for bouncing some of these ideas around with me.