mirrors/mattermost-server：Mattermost is an open source, private cloud, Slack-alternative from https://mattermost.com. It's written in Golang and React and runs as a single Linux binary with MySQL or PostgreSQL.

MM-69010: Validate incoming webhook user membership (#36811)

MM-69010: Validate incoming webhook user membership

Incoming webhook creation/update did not verify that the assigned user_id had legitimate access to the target team or channel, allowing a team admin to attribute persisted posts to an arbitrary user.

Validate that the assigned user can read the target channel and does not hold privileges the requester lacks at creation, re-check channel access when a hook is moved, and require a shared team before a webhook creates a direct message via an @username payload.

Co-authored-by: Cursor cursoragent@cursor.com

MM-69010: Add regression test for owner+channel update

Verify that changing both the channel and the supplied user_id in a single update still validates against the retained owner, since the owner is immutable on update.

Co-authored-by: Cursor cursoragent@cursor.com

Co-authored-by: Cursor cursoragent@cursor.com Co-authored-by: Mattermost Build build@mattermost.com

Mattermost is an open core, self-hosted collaboration platform that offers chat, workflow automation, voice calling, screen sharing, and AI integration. This repo is the primary source for core development on the Mattermost platform; it’s written in Go and React, runs as a single Linux binary, and relies on PostgreSQL. A new compiled version is released under an MIT license every month on the 16th.

Deploy Mattermost on-premises, or try it for free in the cloud.

Learn more about the following use cases with Mattermost:

Other useful resources:

Download and Install Mattermost - Install, setup, and configure your own Mattermost instance.
Product documentation - Learn how to run a Mattermost instance and take advantage of all the features.
Developer documentation - Contribute code to Mattermost or build an integration via APIs, Webhooks, slash commands, Apps, and plugins.

Install Mattermost
Native mobile and desktop apps
Get security bulletins
Get involved
Learn more
License
Get the latest news
Contributing

Install Mattermost

Download and Install Mattermost Self-Hosted - Deploy a Mattermost Self-hosted instance in minutes via Docker, Ubuntu, or tar.
Get started in the cloud to try Mattermost today.
Developer machine setup - Follow this guide if you want to write code for Mattermost.

Other install guides:

Native mobile and desktop apps

In addition to the web interface, you can also download Mattermost clients for Android, iOS, Windows PC, macOS, and Linux.

Get security bulletins

Receive notifications of critical security updates. The sophistication of online attackers is perpetually increasing. If you’re deploying Mattermost it’s highly recommended you subscribe to the Mattermost Security Bulletin mailing list for updates on critical security releases.

Subscribe here

Get involved

Learn more

License

See the LICENSE file for license rights and limitations.

Get the latest news

X - Follow Mattermost on X, formerly Twitter.
Blog - Get the latest updates from the Mattermost blog.
Facebook - Follow Mattermost on Facebook.
LinkedIn - Follow Mattermost on LinkedIn.
Email - Subscribe to our newsletter (1 or 2 per month).
Mattermost - Join the ~contributors channel on the Mattermost Community Server.
IRC - Join the #matterbridge channel on Freenode (thanks to matterircd).
YouTube - Subscribe to Mattermost.

Contributing

Please see CONTRIBUTING.md. Join the Mattermost Contributors server to join community discussions about contributions, development, and more.

Table of contents